ACME Server with wild certifcate and custom CA certifcat

Hello!

I am new to acme server and looking for possible solution.

We have public wild certifcate issued by digitcert and other authorities and we have around 70 servers that have wild card certifcate like *.mycompanyname.com.
We want to automate this process of installing the wild card certifcate on unix and window servers.

Does setting up Acme server provide this facility. As per my understanding setting up ACME server will create a private CA and you can only issue certifcate from this CA.

I want to host few certifcates on the ACME server and then I want my clients to fetch them when its about to expire.

Thanks for your input in this issue.

If you want your certificates to be publicly trusted then you have to use a public ACME CA such as Let's Encrypt (there are also enterprise ACME options from Digicert and Sectigo etc).

If you just setup your own ACME CA the certificates themselves will normally not be trusted unless you import the custom CAs public root certificate into the trust store of the devices that need to trust the certificates from that CA.

Regarding your choice of ACME client, you can use different ACME clients for different situations, e.g. Windows vs Linux and you can vary how you actually deploy the certificates you acquire (e.g. acquire your certificates on one machine and deploy them to other machines using custom processing).

3 Likes

Thanks for your reply.
Lets take example.

I have wildcard certificate issued by Digicert. Now I have to install this wildcard certificate on 70 servers. All these servers already have Digicert CA installed.

Now I want to push the this wild card certificate to all 70 servers more like automated way rather than login to these servers and installing them manually.

If I setup a ACME server and just place the wild card certificate on it and then tell me client to fetch this from ACME server. will it work this way?

1 Like

That not the purpose of ACME and also, why not script something around scp for example?

2 Likes

If you mean setting up an off-the-shelf ACME server like Smallstep, Boulder, or Pebble, no, because they'll all try to perform validation before issuing a new cert, at which point they'd issue a new cert, not just send over a copy of the cert they already have stored. I guess you could code up a custom ACME-like server, where validation would always succeed and it would just return with the cert that's already been issued, but it'd be much less work to either (1) script something on the server to deploy the cert to the 70 client machines, or (2) script something on the client machines to periodically grab a new cert from the server.

ACME has nothing to do with automating deployment of certs; it's all about automating issuance of certs. Your cert, in your scenario, is already issued, so ACME really isn't the right tool for the job.

5 Likes

Ok. I read the ACME server is standalone CA and provides automated functionality but thought to double check if there is possible to deliver third party certificate to servers via it.
I am searching internet for some script but so far google search is not helping.

Basically, if you want to stick with Digicert's proprietary setup, it's probably easiest to use their automation system for distributing their certificates.

If you want to switch to ACME (whether using Digicert's ACME endpoint or some other CA's services like Let's Encrypt), then there may be an ACME client that helps you, but it will probably involve some level of custom integration. They basically all support running custom scripts after getting a certificate. It may be easier to run one setup on Windows for your Windows servers and another on *nix for your *nix servers.

It may end up being easier for each of your servers to get separate certificates rather than all sharing them; having 70 systems all share the same certificate is a bit unusual, though you may have good reasons for it. But you may want to take this time to look more wholistically about what you're trying to do, and what architecture makes the most sense for that. If you give more details about your setup and why you're trying to have them all use the same certificate, it may be that people here could give more specific advice.

4 Likes

Not if you're used to paying for your wildcard!

@capricorn800 Distributing a cert to machines is one thing but deploying that cert into individual services is often a little more complex, especially if it's not just copying a file somewhere. Often services need restarted and on Windows certs often need to be installed in the machine certificate store and binding updates made in the registry. Cert also often need to be converted or transformed to be used (java key stores etc).

As there are hundreds of thousands of different services a cert can be used with there is no single way to a deploy a certificate as each service can decide it's own requirements. Perhaps one day we will see some standardization there. Most existing acme tools are at most designed to update certs in Apcahe and nginx and even then with limitations.

As well as using ACME as part of a solution you could also look at using secrets vaults (Hashicorp vault, Azure Keyvault etc) where you would store a cert then machines/service would regularly pull the latest version of (only) the cert they require and apply it themselves. The benefit of this is it separates the process of acquiring a renewed certificate (simple) and actually using it (complex).

In general it's considered bad practice to distribute a wildcard because that also means distributing the single private key associated with that, and the more places you distribute to the more likely for the key to be eventually compromised (triggering revocations and renewal/re-deployment everywhere). It's easy to just not care about that, but you will definitely care if the day comes when you need to revoke.

As a long term strategy you should aim for certificate issuance for each individual service name instead of a mass-deployed wildcard, which also means you can monitor who/what is using certs and why.

We are actually developing something very much along the lines of what you require as a product for https://certifytheweb.com but at this stage I don't expect it to be available until next year. As @petercooperjr suggests you should perhaps investigate solutions provided by your current vendor.

3 Likes