GlobalSign Blog

Simplifying Domain Management and Expanding the Reach of ACME

Simplifying Domain Management and Expanding the Reach of ACME

As digital interactions govern our daily lives, from online communications to data exchange, organizations are facing cybersecurity threats across all industries. Given this threat, the value of SSL / TLS certificates has never been greater. They serve as a foundation for secure online communications, data encryption and identity verification.

How ACME has Revolutionized Security

The ACME (Automatic Certificate Management Environment) protocol simplifies the certificate management process by allowing web servers and other services to automatically prove domain ownership and request certificates from Certificate Authorities (CAs) in a way similar to conventional, manual processes.

While ACME automates the domain validation process, this validation typically occurs each time a certificate is requested. Recent enhancements to the ACME protocol enable organizations to manage certificate issuance for subdomains without the need for individual domain validation.

GlobalSign’s Improved ACME Service

To better serve our customers, GlobalSign’s ACME service leverages the protocol’s inbuilt capabilities to remove the requirement for domain validation for subdomains so long as the parent domain has already been verified. For example, if you have successfully validated the domain example.com and then later submit a request for a certificate for  shop.example.com, the request will process without requiring validation of shop.example.com.  
 
Read more about our ACME implementation in our Support Article

Improved User Experience

Increased Efficiency: Whether adding through the Atlas portal directly or now via ACME challenge, domain validations will automatically apply to future certificate requests for the same or subordinate domains

Improved Scalability: There are situations where the CA cannot create incoming connections to the server required for HTTP validation because of customer specific network security rules, and where automated DNS validation might not be useable.  In cases like this, an Atlas administrator may validate the top-level domain via DNS or Email (domains validated via the HTTP method are prohibited from being used to issue wildcard or subdomain SANs) which will enable ACME to be used in more locations

Additional Enhancements

In addition to expanding domain validation reuse, GlobalSign have made two other recent enhancements to its ACME service that will better serve its customers:

ACME Nonce

An ACME nonce is a cryptographic value that is used to prevent replay attacks (where an adversary tries to reuse a previously sent message). Previously GlobalSign’s ACME server stored nonce values internally, which meant that nonce values could not be shared across multiple servers. Our ACME server could thus become overloaded with requests and wouldn’t have the capability to balance the load to other servers, which could introduce response delays and failures. GlobalSign improved its backend so that nonce values are now being stored inside a key-value server, where multiple ACME servers can share a single store of nonce values. This allows us to scale the service to balance the load and handle more requests than ever before.

ACME KeyChange

If a customer’s ACME public key is compromised, or if there is a suspicion that the key may have been compromised, the only option was to deactivate the account, make a new one, and reestablish authentication connections with the ACME server. With the implementation of the ACME KeyChange feature, customers now have the ability to easily modify the public key linked to their account. This feature has been implemented in accordance with RFC 8555 and Google’s Chrome Root Program Policy.

Keep up to date with GlobalSign’s ACME service and new developments, and find out more on how we can help you prioritize cybersecurity across your organization

Share this Post

Recent Blogs