What is ACME PKI?

Many organizations continue to use antiquated methods to manage and track certificates. Common methods include tracking certificates in spreadsheets, text documents, and ticketing solutions. These methods are not only time consuming, taking hours or days to provision or renew certificates, they can also lead to security and compliance issues. The lack of an alerting mechanism or management interface can lead to systems outages that are otherwise easily avoidable.

»What is ACME?

PKI, or public key infrastructure, has evolved to include powerful protocols to resolve many of these certificate management issues. One such protocol is Automated Certificate Management Environment protocol (ACME).

ACME is a protocol for automating certificate lifecycle management of certificates issued by a Certificate Authority (CA) to clients such as company servers, devices, etc. Expanded use of certificates, including TLS to secure applications, services, and databases increases the burden and operational risk associated with manual certificate management. The ACME protocol solves many of these risks by enabling security and platform teams to:

• Automate the management of certificate domains
• Provision trusted certificates
• Monitor certificate expiration

Additionally, ACME supports the automated renewal or revocation of certificates based on an organization's security policy. Leveraging ACME instead of manual certificate management not only improves your organization's security posture but reduces the risk of system outages caused by human error.

The ACME protocol also addresses a situation known as certificate authority (CA) lock-in. CA lock-in occurs when an organization has a significant dependency on a single CA. This limits an organization's ability to quickly switch CAs if something happens to their current CA, such as a data compromise or outage. ACME is a popular protocol adopted by many CAs, including HashiCorp Vault, that makes certificate migration or the selection of a backup CA provider much easier.

»Why use ACME?

The primary rationale for adopting ACME is the simplification and automation it provides organizations to manage the complexities of modern certificate management. IT teams rely on ACME to help manage their certificate needs because:

• ACME is an open standard
• It is considered a best practice when if comes to PKI and TLS security posture
• It has ongoing community-based enhancements and support
• It has reduced IT costs for organizations
• It increases organizational agility by adding and supporting backup CAs

»HashiCorp Vault and ACME

HashiCorp Vault is a platform for identity-based security and secrets and certificate lifecycle management. Vault introduced support for the ACME protocol as part of the June 2023 1.14 release to help customers automate certificate lifecycle management using industry-standard tooling for private PKI needs, eliminating dependency on manual processes or alternate products. Standard ACME clients, such as Certbot, the CNCF's Kubernetes cert-manager, can automate certificate requests from Vault without users needing to know Vault APIs or auth mechanisms. To learn more about how to use ACME on HashiCorp Vault, check out our tutorial on how to Enable ACME with PKI secrets engine.

In the coming months HashiCorp plans to release a series of informational blogs and white papers focusing on PKI adoption and best practices. To learn more about Vault and data protection, visit our Vault features page.