Skip to main content

Automated application for server certificates via ACME

ACME stands for Automatic Certificate Management Environment and describes a process in which server certificates are automatically renewed. This is becoming unavoidable with ever shorter terms.

Contact us
ein mann hat ein stift und ein ipad auf der hand

Why ACME?

Problem: The duration of server certificates is getting shorter and shorter.

The CA/Browser Forum, an association of certification authorities and web browser manufacturers, has published the following roadmap:

From date Maximum validity
15.03.2026 200 days
15.03.2027 100 days
15.03.2029 47 days

Consequence: Automation will be necessary at some point.

Solution: ACME. Before a certificate expires, a new certificate is automatically requested from the certificate provider and downloaded via an ACME client. This offers the option of executing scripts via so-called hooks, e.g. to import the new certificate into the respective service and restart the service.

ACME via HARICA

Harica uses EAB (External Account Binding) to check whether the system for which a certificate is to be requested also belongs to you. You need an ACME account for this. There is no ACME challenge as there is with Let's Encrypt.

Applying for an ACME account

You can apply for an ACME account informally at the Support Desk.

We need the following information from you:

  • Server/service name: This is required for the internal assignment/description of the ACME account.
  • A list of the domains that are to be assigned to this ACME account.

A separate ACME account is required for each service/server.

Setting up an ACME client

You must set up an ACME client on your server, e.g. Certbot or win-acme.

The certificate is downloaded to the server via the ACME client. It must then be imported into the respective application.

Example call for certbot:

certbot certonly --standalone --agree-tos --email --eab-kid --eab-hmac-key --server --domain

We will send you the relevant data. The key ID and the HMAC key must not be passed on. For some applications, such as Apache, Certbot offers the option of installing the certificate directly into the application.

certbot --apache --agree-tos --email --eab-kid --eab-hmac-key --server --domain

Certbot creates symlinks to the current private keys and certificates in /etc/letsencrypt/live/certname/. You must then enter this path in the config of your service.

You can store your own scripts under /etc/letsencrypt/renewal-hooks/deploy/. An example would be restarting the service so that the new certificate is used.

Contact us

Locations

Campus H
Hölderlinstraße 3
Level 2

Campus AR
Adolf-Reichwein-Straße 2
Building X

Contact

Phone: +49 (0) 271 740 - 4777
E-mail: support@zimt.uni-siegen.de

Contact persons
Campus Adolf-Reichwein-Straße der Universität Siegen