Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

This article describes the support for the protocol Automatic Certificate Management Environment (ACME) in Nexus Smart ID


Do you want to know more?

→ Contact us

What is ACME?

The ACME service is used to automate the process of issuing X.509 (PKIX) certificates using the ACME protocol, as defined in RFC 8555.

The ACME protocol is supported by many standard clients available in most operating systems for automated issuing, renewal and revocation of certificates. For example, the certbot ACME client can be used to automate handling of TLS web server certificates for common HTTP servers, such as Apache and Nginx. For more information, see ACME Client Implementations

Many critical services and servers are already equipped with certificates proving their identity in a secure way, but lack the automation for example to renew certificates when the existing ones are expiring. Critical services often stop due to the fact that their certificate expire and manual processes are involved. The automation that comes with ACME enables universal encryption on the Internet. 

ACME is also readily available in many server applications and devices that need X.509 certificates, making it easier to automatically provision certificates. Many devices, such as servers, printers and NAS (Network-attached storage) devices, also come with support for ACME. 

The ACME service in Protocol Gateway (PGWY) supports both public-facing internet ACME account creation and ACME account creation where a pre-registered secret key must be shared beforehand.

ACME protocol flowchart

The diagram illustrates how an ACME client can obtain a certificate without any human interaction. In the dashed region, the client proves ownership of the domain using an HTTP-based challenge. There are other challenge methods available for ACME, Certificate Manager also implements the DNS challenge. Step 1 is optional, clients can be pre-registered in Certificate Manager – but then the clients needs to be manually provisioned.


Why use ACME?

Here are some common drivers for deploying ACME in a production environment: 

  • Full automation of key and certificate management
  • Desire to get server-side monitoring and alerting
  • More structured process for requesting certificates to edge devices or printers 
  • Streamlined interaction between requesters and administrators
  • Aiming to use an arbitrary ACME client to interact with private or public trusted CAs
  • Possibility to combine software as a service and on-premise installations 
  • Audit-friendly reporting to assure compliance, and enhance incident management 


Related information

Links

Request certificate via ACME and Protocol Gateway

Error rendering macro 'excerpt-include' : No link could be created for 'Request certificate via ACME and Protocol Gateway'.



Manage ACME accounts 

Error rendering macro 'excerpt-include' : No link could be created for 'Manage ACME accounts'.



  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions