ACME is an internet protocol designed to enable enterprises to communicate with a Certificate Authority (CA) and automate the lifecycle of TLS certificates. This no-touch environment enables certificate issuance at a low cost and high speed. The power of ACME lies in the communication between an ACME client requesting a certificate from an ACME server operated by a CA, like GlobalSign, to collaboratively automate key certificate lifecycle management (CLM) functions.
In this blog, we will explore the latest update to GlobalSign’s ACME service; issuing IntranetSSL certificates for internal domains.
Evolution of the ACME Protocol
The ACME protocol has evolved significantly since its inception. Originally developed to streamline the issuance and management of TLS certificates, ACME has evolved to address growing challenges businesses face around scalability, security, and agility. Support for shorter certificate lifespans, improved automation capabilities, and integration with emerging technologies like containerization and cloud computing enables organizations to stay ahead of evolving security threats and compliance requirements.
GlobalSign’s ACME Solution – Recent Updates and Enhancements
Adapting to changing security requirements is a must for organisations to remain compliant and secure. GlobalSign’s recent updates to its ACME service include subdomain validation re-use, support of the ACME KeyChange endpoint, and internal ACME Nonce updates. We have since continued work to enhance our ACME service and are pleased to introduce support for internal domain certificates via ACME on our IntranetSSL product line.
What Does This Mean?
With the introduction of this feature, GlobalSign is unlocking a capability that hasn’t been easily available to organizations before: the ability to issue certificates via ACME for internal and private domains using unofficial domain suffixes, such as .internal or .lan. Organizations might use these internal domains for development networks or other non-production environments; they are also leveraged for private device networks and Active Directory domains (though recommended practice for AD domains is to use a subdomain of a publicly registered domain controlled by your organization).
ACME challenges typically rely on public DNS to lookup a TXT record or resolve the address of a server. However, no public DNS exists for unofficial domain suffixes. Until now, this presented a barrier to issuance. This is a gamechanger for organizations looking to automate certificate management and adopt better PKI agility in business-critical areas.
Why Is It Important?
Securing endpoints on internal domains is essential to handling sensitive information and internal communications, safeguarding these endpoints from potential supply chain attacks, among other threats and vulnerabilities. GlobalSign has enabled its robust IntranetSSL product to be provisioned automatically via the ACME protocol to secure intranet/non-public domains.
By automating the deployment and renewal of non-public TLS/certificates, organizations can ensure that private endpoints maintain encryption standards and meet internal compliance mandates, preventing unauthorized access, data breaches, and potential disruptions to internal operations.
We recognize the importance of the privacy and security of internal networks. Private hierarchies like IntranetSSL are not subject to the compliance mandates of publicly trusted certificates; as such, certificates issued through this hierarchy are not published to CT logs, keeping your internal domains private. Further, since we can skip the domain challenge for internal domains, certificate requests from the ACME client are all outbound from your network, no need to open the firewall inbound for domain challenges; when the cert is issued, the ACME client will download it!
Benefits of Provisioning IntranetSSL Through ACME
Centralized Management: Leveraging the ACME protocol’s inbuilt capabilities and GlobalSign’s recent updates allows for centralized management of both public and private certificates. Using the same processes to manage certificates across all endpoints simplifies administration and reduces the risk of breaches.
Compliance: Organizations can enforce consistent security policies and compliance standards. No longer must organizations rely on internal personnel creating self-signed trust chains to protect vital internal endpoints. Organizations can now share the load with a trusted CA who has the industry knowledge and expertise to issue non-public certificates to suit non-public use cases.
Scalability: GlobalSign’s ACME service provides scalable certificate management capabilities, allowing organizations to efficiently manage certificates for any number of private endpoints, and grow and customize their solution as their infrastructure grows and matures.
By provisioning IntranetSSL certificates automatically through ACME, it enhances operational efficiency and improves security posture, easing the burden on security teams.