Ascertia is delighted to announce that ADSS Web RA Server 2.6 (Available from 5th August 2022) adds support for ACME to the growing list of device enrolment protocols.
What is ACME?
ACME stands for “Automated Certificate Management Environment” (defined by RFC 8555) and was originally developed by the Internet Security Research Group for LetsEncrypt to issue short lived domain validated certificates for 90 days.
Certificate lifecycle management (CLM) is a trending topic for organisations, governments and Trust Service Providers (TSPs). While digital certificates can provide strong, cryptographically secure credentials enabling authentication for users, devices or applications, provide secure communications between end points and offer the ability to do so in an automated manner, they do contain an expiry date. If not managed effectively, an expiring certificate can cause a significant outage, and never at a convenient time!
ACME is a convenient standards based approach to providing automated certificate lifecycle management to a variety of web servers and application servers using an ACME server and an ACME enabled client like CertBot, LetsEncrypt has a full list of clients, this can be found here.
ADSS Web RA Server already supports the following device enrolment protocols:
- Simple Certificate Enrolment Protocol (SCEP) – Traditionally used by network devices to enrol with a PKI for RSA based digital certificates, SCEP can be used by applications to request certificates from a PKI. SCEP certificate enrolment usually requires an administrator to provide a device or application with the URL for the SCEP server and an enrolment passphrase.
- Certificate Management Protocol version 2 (CMPv2) – Introduced to add support for RSA and ECC certificate enrolment, CMPv2 can support device and application certificate enrolment and is used commonly by mobile network operators to issue certificates to 4G and 5G networks. CMPv2 has two methods to enable enrolment:
- An RA must supply a device with a URL for the CMPv2 Server and a Passphrase, or
- The network device would use a digital certificate issued to it during the manufacturing process. The CMPv2 server would need to be told to trust the manufacturing PKI so that it can authenticate the device and issue a replacement certificate.
ADSS Web RA Server 2.6 now includes ACME support for device enrolment and certificate lifecycle management. In future releases Ascertia will be adding support for Enrolment over Secure Transport (EST) as well as support for Microsoft Native Certificate Enrolment. This will make the Ascertia ADSS Web RA Server one of the most comprehensive registration and certificate lifecycle management platforms on the market.
To find out more about Web RA 2.6 please get in touch.