Skip to content

Configure ACMEv2 server connection in CyberArk Certificate Manager - SaaS

Use this procedure to create an ACMEv2 server in Certificate Manager - SaaS.

Use Certificate Manager - SaaS to create an ACMEv2 server that allows ACME-compatible clients to request certificates by using the ACME protocol.

Before you begin

You need the following before you create an ACMEv2 server:

  • A Certificate Manager - SaaS account with Integration Administrator permissions.

  • At least one configured Application and Issuing Template.

    Note

    Certificates issued through ACMEv2 servers require user-generated CSRs that are associated with the selected application.

  • Optional. A Certificate Tag, if your organization uses tags to categorize certificates.

Important

All ACMEv2 servers use External Account Binding (EAB) for client registration.
ACME clients must provide valid EAB credentials, including a Key ID and HMAC key, when creating an account.

Overview

Certificate Manager - SaaS supports the Automatic Certificate Management Environment (ACME) protocol as defined in RFC 8555. The ACME protocol enables automated certificate enrollment.

With an ACMEv2 server, you can: - Create an ACME endpoint for your organization. - Allow ACME clients that are compatible with EAB to request certificates from Certificate Manager - SaaS. - Issue certificates based on applications and issuing templates so that certificate requests follow defined policies.

How certificate requests work with ACMEv2 servers

This section explains how certificate requests are evaluated and issued when you use an ACMEv2 server.

ACME client interaction model

Certificate Manager - SaaS uses ACME with External Account Binding (EAB) only.

ACME clients that are compatible with EAB, such as Lego or cert-manager, can connect to the ACMEv2 server and submit CSRs.

Certificate issuance does not require domain ownership validation. ACME challenge types such as HTTP-01, DNS-01, and TLS-ALPN-01 are not used. Certificates are issued based on the configured application and issuing template.

Certificate lifecycle behavior

Certificates issued by an ACMEv2 server are currently not renewed through the ACME renewal workflow.
To obtain a new certificate, the client submits a new certificate order and CSR.

Key type requirements

The issuing template controls which key types are allowed.

If your ACME client is configured to use Elliptic Curve (EC) keys, the issuing template must allow EC key types.
Certificate requests must use a key type that is permitted by the issuing template.

Certificate validity handling

Issuing templates define the allowed certificate validity range.

  • If a request specifies a validity period outside the allowed range, the request is rejected.
  • If a request does not specify a validity period, the issuing template default validity settings apply.

Private key handling

When you use user-generated CSRs, Certificate Manager - SaaS does not enforce private key reuse restrictions.
You are responsible for generating and managing private keys according to your security requirements.

Private key reuse enforcement applies only when Certificate Manager - SaaS generates the private key.

Viewing ACME certificate orders

You can view all certificate orders submitted through an ACMEv2 server in Certificate Manager - SaaS.

In the Certificate Manager - SaaS, go to Settings, then select ACME Orders to review submitted orders and their status.

Step 1: Create an ACMEv2 server

  1. Sign in to Certificate Manager - SaaS.
  2. In the Certificate Manager - SaaS console, select Configurations > ACME Servers.
  3. Select New.
  4. Enter a Name for the ACMEv2 server.
  5. Select an Application. For more information, see Create an application.

  6. Select an Issuing Template. For more information, see Creating issuing templates.

    Note

    Issuing templates that do not allow CSRs do not appear in the Issuing Template list.

  7. Optional. Select a Certificate Tag.

  8. Select Create.

Step 2: Configure the ACMEv2 client connection

After you create the ACMEv2 server, configure your ACME client by using the connection details provided in Certificate Manager - SaaS.

Each ACME client has its own configuration process. All clients require the same core values.

  1. Copy the following values from Certificate Manager - SaaS:

    • ACME Directory URL. The endpoint the client uses to discover supported ACME operations.
    • EAB Key ID (KID). Identifies the External Account Binding key.
    • EAB HMAC Key. A shared secret that authenticates account registration.

  2. Provide these values to your ACME client by following the client documentation.

  3. In Certificate Manager - SaaS, select Done.

Optional: Deactivate an ACMEv2 server

You can deactivate an ACMEv2 server when it is no longer required.

Warning

Deactivating an ACMEv2 server permanently deactivates all associated ACME accounts.

  1. Sign in to Certificate Manager - SaaS.
  2. In the Certificate Manager - SaaS console, select Configurations > ACME Servers.
  3. Select the ACMEv2 server that you want to deactivate.
  4. Select Deactivate.

ACME protocol limitations

The Certificate Manager - SaaS ACMEv2 server does not support the following ACME protocol features:

  • Automated certificate renewal
  • Certificate revocation using POST /revoke-cert
  • Key rollover using POST /key-change
  • Authorization challenges such as HTTP-01, DNS-01, and TLS-ALPN-01