SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard eIDAS certificates SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates SSL ECC VMC certificates
E-signature Strong authentication (mTLS) S/MIME certificates
Test certificates CLM Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
TBS API TBSCertBot
SHA256: Browsers' compatibility ECC: Browsers' compatibility
FAQ
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


ACME offer by DigiCert

DigiCert ACME offer allows you to automate both public and private DV, OV and EV certificates by using your preferred third-party ACME client.

How to access the tool?

ACME is available (in Beta version) on all TBS Certificates Centers.

The pre-requisites

To use ACME you'll have to set up a pre-validation (except for the DV certs).

A pre-validation is required for each organization/certificate type (OV, EV) couple for which you'll need to order ACME certificates.

You'll also have to implement and configure a third-party ACME protocol of your choice before using the tool.

Finally, it is best to check your network configuration and HTTP application (port 80) before running your first ACME command.

How does it work?

Once all the requirements are met, go on the ACME section of your Certificate Center.

ACME URL

The first step is to create an ACME URL or access point:

Creation of an ACME access point

Give a friendly name to your access point, select the relevant product and organization and click on "Creation of an ACME access point".

A URL can be invalidated at any time.

Once it is done, the credentials needed for your preferred ACME client to communicate with the DigiCert cloud (KID value and HMAC key) are displayed as long as an example of command to order a certificate:

ACME credentials

Warning: The credential are only displayed once at the moment they are created. Save those values to be able able to order certificates. If you ever lose your ACME URL details, you'll need to revoke the lost URL and generate a new one.

A unique path ("directory" parameter) must also be created for each ACME URLs.

Your ACME URLs are then displayed:

List of ACME URLs

The order

You can now order certificates!

To do so, execute the command displayed in the exmaple above.

The certificates delivered by ACME are also displayed on the page:

List of ACME certificates

Once the tool is ready you can configure crons that will handle automatic renewals of your ACME certificates.

For which products?

ACME is available for all SSL DV, OV and EV products of the DigiCert family (DigiCert, Thawte, Geotrust, RapidSSL).

Only products valid for 1 year (not plan offers) are available on ACME.

The invoicing

ACME certificates prices are debited from the account balance just like a normal order for Deposit accounts. They benefit from the same negotiated prices. For Bulk Purchase and Rebate accounts, tokens are debited.

Note: the account must be creditor to accept ACME orders. They are not charged in realtime, but "from time to time".

Likewise, Bulk Purchase and Rebate accounts must have tokens available to pass order.

In the Certificate Center

Your ACME certificates are easily accessible from the ACME section of your Certificate Center but are also displayed in the "classic" other sections. They are identifiable by their TBS reference starting with "DCACME-".

The revocation

Requests to revoke certificates issued via ACME protocol must also be submitted via ACME protocol.

There are then 2 options for revoking the certificate.

Revocation by certificate name

In the command prompt, use the following syntax:

sudo certbot revoke --cert-name {NAME} --config-dir {MY-CONFIG-DIR} --reason {REVOCATION-REASON}

Example:

sudo certbot revoke --cert-name test.domain.com --config-dir /usr/local/certbot/my_webserver_config/ --reason superseded

Revocation by certificate path

In the command prompt, use the following syntax:

sudo certbot revoke --cert-path {PATH} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} --reason {REVOCATION-REASON}

Example:

sudo certbot revoke --cert-path /usr/local/certbot/my_webserver_config/archive/test.domain.com/cert1.pem --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_webserver_config/ --reason keyCompromise

Arguments

NAME: The reference name for the certificate, which is not necessarily the same as the common name. Use the 

certbot certificates
command to list all certificates Certbot knows about, including the reference name for each.

MY-CONFIG-DIR: The directory path where the Certbot configuration and certificate files are stored.

PATH: The absolute path of the certificate file on the server.

ACME-URL: The DigiCert ACME Directory URL used to issue the certificate. The --server option is required when revoking by certificate path, but not required when revoking by reference name.

REVOCATION-REASON: Reason for revoking the certificate. To choose among:

  • unspecified: No specific reason is provided for the revocation.
  • keyCompromise: The private key associated with the certificate has been compromised or is suspected to be compromised.
  • affiliationChanged: The subject’s affiliation or organizational information has changed and the certificate is no longer accurate.
  • superseded: The certificate has been replaced with a new one and is no longer needed.
  • cessationOfOperation: The service, domain, or operation associated with the certificate has been discontinued.

Further information

There are some particularities to the ACME certificates:

  • their anniversary dates are lost during renewal
  • their validity period is defined by the CA/B Forum (13 month maximum for now)
  • ACME certificates benefit from the 30 days "Money back guarantee". To take advantage of this offer, simply revoke the certificate within 30 days of its issuance (see the 'Revocation' section above).

ACME clients

There are several ACME clients available from which you can make a choice according to your needs and constraints. You'll find a non-exhaustive list here.

What's next?

In the few next weeks, you'll be able to revoke your ACME certificates from their status page.