Skip to content

Configure ACMEv2 server connection in CyberArk Certificate Manager - SaaS

Use this procedure to create an ACMEv2 server in Certificate Manager - SaaS.

Use Certificate Manager - SaaS to create an ACMEv2 server that allows ACME-compatible clients to request certificates by using the ACME protocol.

Before you begin

You need the following before you create an ACMEv2 server:

  • A Certificate Manager - SaaS account with Integration Administrator permissions.

  • At least one configured Application and Issuing Template.

    Note

    Certificates issued through ACMEv2 servers require user-generated CSRs that are associated with the selected application.

  • Optional. A Certificate Tag, if your organization uses tags to categorize certificates.

Important

All ACMEv2 servers use External Account Binding (EAB) for client registration. ACME clients must provide valid EAB credentials, including a Key ID and HMAC key, when creating an account.

Overview

Certificate Manager - SaaS supports the Automatic Certificate Management Environment (ACME) protocol as defined in RFC 8555. The ACME protocol enables automated certificate enrollment.

With an ACMEv2 server, you can: - Create an ACME endpoint for your organization. - Allow ACME clients that are compatible with EAB to request certificates from Certificate Manager - SaaS. - Issue certificates based on applications and issuing templates so that certificate requests follow defined policies.

For information about how certificate requests are evaluated, issued, and managed when using an ACMEv2 server, see ACME server overview.

Step 1: Create an ACMEv2 server

  1. Sign in to Certificate Manager - SaaS.
  2. In the Certificate Manager - SaaS console, select Configurations > ACME Servers.
  3. Select New.
  4. Enter a Name for the ACMEv2 server.
  5. Select an Application. For more information, see Create an application.

  6. Select an Issuing Template. For more information, see Creating issuing templates.

    Note

    Issuing templates that do not allow CSRs do not appear in the Issuing Template list.

  7. Optional. Select a Certificate Tag.

  8. Select Create.

Step 2: Configure the ACMEv2 client connection

After you create the ACMEv2 server, configure your ACME client by using the connection details provided in Certificate Manager - SaaS.

Each ACME client has its own configuration process. All clients require the same core values.

  1. Copy the following values from Certificate Manager - SaaS:

    • ACME Directory URL. The endpoint the client uses to discover supported ACME operations.
    • EAB Key ID (KID). Identifies the External Account Binding key.
    • EAB HMAC Key. A shared secret that authenticates account registration.

  2. Provide these values to your ACME client by following the client documentation.

  3. In Certificate Manager - SaaS, select Done.

Optional: Deactivate an ACMEv2 server

You can deactivate an ACMEv2 server when it is no longer required.

Warning

Deactivating an ACMEv2 server permanently deactivates all associated ACME accounts.

  1. Sign in to Certificate Manager - SaaS.
  2. In the Certificate Manager - SaaS console, select Configurations > ACME Servers.
  3. Select the ACMEv2 server that you want to deactivate.
  4. Select Deactivate.

ACME protocol limitations

The Certificate Manager - SaaS ACMEv2 server does not support the following ACME protocol features:

  • Automated certificate renewal
  • Certificate revocation using POST /revoke-cert
  • Key rollover using POST /key-change
  • Authorization challenges such as HTTP-01, DNS-01, and TLS-ALPN-01