Documentation Index

Fetch the complete documentation index at: https://guide.ncloud-docs.com/llms.txt

Use this file to discover all available pages before exploring further.

ACME overview

Prev Next

Available in Classic and VPC

ACME (Automated Certificate Management Environment) is a standard protocol defined in RFC 8555 designed to automate the issuance, validation, renewal, and revocation of certificates. Certificate Manager provides the ACME directory as part of the Advanced certificate product line, enabling customers to build their own certificate renewal pipelines tailored to their operational environments and automate management processes.

Target audience for ACME

The ACME feature is ideal for customers who want to deploy certificates directly to their infrastructure and automate the renewal process. This prevents service disruptions caused by certificate expiration and allows customers to manage the certificate lifecycle without requiring manual intervention from administrators.

Note

If you are operating NAVER Cloud Platform’s Load Balancer or Global Edge with a certificate, use the automatic certificate renewal feature provided by Certificate Manager instead of the ACME feature.

Key features of ACME

Previously, when issuing or renewing a certificate, the person in charge had to submit an application directly to the certificate authority (CA) and manually install the issued file on the server. If you miss the renewal deadline or an error occurs during the process, it could lead to a service outage.
ACME is a standard protocol designed to automate this entire manual process. The client communicates directly with the certificate authority, handling everything from domain ownership validation to certificate issuance and renewal without human intervention. Various clients, such as Certbot, acme.sh, win-acme, and cert-manager, implement this standard, and you can select the client that best suits your operating environment.

The following is a description of the key features provided by ACME in Certificate Manager.

  • Provide an automated lifecycle management environment: It provides integration capabilities that enable clients in each operating environment to automatically handle the entire process, from certificate request to issuance, deployment, and renewal. This minimizes the need for manual intervention by the operator.
  • OV certificate support: Unlike typical free ACME services that only support DV (Domain Validation) (e.g., Let's Encrypt), it supports the automation of highly trusted OV (Organization Validation) certificates.
  • Standard client compatibility: It supports a variety of clients that comply with the RFC 8555 standard, including Certbot, acme.sh, win-acme, and cert-manager, thereby standardizing management practices that previously varied by environment and simplifying operational processes.

Basic workflow of ACME

The ACME protocol operates in three stages: account registration (EAB), domain ownership validation (Challenge), and certificate issuance (Order). Once the customer has configured the initial setup and scheduling (e.g., crontab), the client will automatically perform the renewal process when the expiration date is reached.

  1. Account registration (EAB): Register and authenticate the client with the ACME server using External Account Binding (EAB) information.
  2. Domain ownership validation (Challenge): Prove control over the domain, typically through DNS records.
  3. Certificate issuance and renewal (Order): Once validation is complete, the certificate is issued, and the client then repeats the renewal process according to the configured schedule.

ACME service specifications

The following describes the ACME service specifications.

Item Specifications
Certificate type Advanced DV, Advanced OV
Validation method DNS-01 challenge (dynamic and pre-validation methods)
Compatible clients All RFC 8555-compliant clients
Encryption algorithms RSA 2048
ACME Directory URL https://acme.navercloudtrust.com/acme/directory

Comparison of domain validation methods

The following is a comparison of the domain validation methods supported by ACME.

DNS-01 dynamic validation method

Item Contents
Description Perform dynamic domain validation via the ACME protocol upon each issuance and renewal.
Automation conditions Require the Ncloud Global DNS API integration script or the Certbot DNS plugin.
Wildcard support Supported

Pre-validation method

Item Contents
Description Reuse previously completed DNS TXT validation information in the Domains of Certificate Manager.
Automation conditions Handled automatically by the client without the need to modify any DNS records.
Wildcard support Supported

Environment-specific guide

ACME can be used primarily in the following environments:

  • Direct implementation on a dedicated server: Environments where certificates must be configured and managed directly on server operating systems such as Linux and Windows.
  • Container environment: Environments that automate certificate renewal within Kubernetes using tools such as cert-manager.
  • Multi-cloud: Environments that operate using a mix of cloud infrastructures, such as AWS, and require consistent certificate deployment and management.

The following explains how to configure each environment:

Environment Description
Linux server Configure full automation of certificate issuance and renewal in a dedicated server environment by integrating Certbot with the Ncloud Global DNS hook script.
Windows server Configure automation for certificate issuance and renewal in a Windows server environment using win-acme.
Kubernetes Automate certificate lifecycle management for Kubernetes Ingress and Pods using cert-manager's ClusterIssuer.
AWS EC2 + ACM Use the deploy hook in acme.sh to automatically import the issued certificate into AWS Certificate Manager (ACM) and apply it to the Application Load Balancer (ALB).

See the following document for detailed configuration instructions for each environment.