SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard eIDAS certificates SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates SSL ECC VMC certificates
E-signature Strong authentication (mTLS) S/MIME certificates
Test certificates CLM Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
TBS API TBSCertBot
SHA256: Browsers' compatibility ECC: Browsers' compatibility
FAQ
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


ACME Sectigo CaaS Subscriptions

The ACME Sectigo CaaS (Certificate as a Service) offer allows you to issue, on demand and automatically via the ACME client of your choice, SSL DV, OV or QWAC certificates for an unlimited number of domains for the duration of your subscription (1 year, renewable).

The principle is simple: You buy an annual subscription, you enroll your domains in it, then your ACME client automatically issues and renews the certificates for these domains.

Access to the feature

This feature is only available for compatible customer accounts (certain deposit accounts and monthly payment accounts): Left menu > Your orders > ACME Sectigo CaaS

If you don't see it in your menu, contact your TBS sales representative.

The prerequisites

The use of ACME is conditional upon the implementation of a pre-validation (excluding DV certificates).

A pre-validation for each pair of organisation / certificate type (OV, QWAC) corresponding to the certificates you wish to order with ACME must be created.

You also need to set up and configure the third-party ACME protocol of your choice before using the tool.

Finally, it is best to check your network configuration and HTTP application (port 80) before running your first ACME command.

How does it work?

The subscription must first be created.

Create a subscription

On the "ACME Sectigo CaaS" page, in the "Creating an ACME subscription" section, enter:

  • The subscription type (Sectigo CaaS DV, OV or QWAC)
  • the organization (mandatory with OV and QWAC)
  • your subscription's personalized name (free choice)
  • The domains to include in the subscription (FQDN or wildcard, one per line)

The total amount for the year that will be debited from your account will be displayed here.

Finally, click on "Subscribe".

Creating an ACME subscription

ACME data

Once the subscription is created, a window will display your ACME login details:

ext_act_kid    : <account ID>
eab-hmac-key   : <HMAC key>
acme-server    : <ACME directory URL>

WARNING: These values ​​are displayed only once and will never be provided again. Save them immediately in your secrets manager or vault.

In case of loss, the subscription will need to be recreated.

An example of use with Certbot is provided in the same window.

ACME IDs

The order

You are now ready to order your certificates!

To do so, execute the command as shown in the example above.

The certificates thus obtained also appear on the subscription details page (see below).

Finally, once you have the tool in hand, you can configure cron jobs that will handle the automatic renewals of your ACME certificates.

The different types of subscription

Different types of subscriptions are available today:

  • Sectigo CaaS DV WildSSL
  • Sectigo CaaS DV SSL
  • Sectigo CaaS OV WildSSL
  • Sectigo CaaS OV SSL
  • Sectigo CaaS QWAC SSL

WARNING: All certificates delivered via the ACME Sectigo CaaS offer have a validity period of 3 months.

Subscription details page

From the list of subscriptions, click on the line to access the details.

Subscription information

All subscription-related data is displayed here: name, subscription type, status, organization, dates, number of active domains, number of certificates delivered...

ACME subscription information

You can activate automatic renewal of your subscription from the details page. If this option is activated, the subscription, as well as any active domains, will be automatically extended for one year 30 days before its expiration.

ACME connection

You will also find some information regarding the ACME connection and an example of use (reminder of the ACME URL and account ID, the HMAC key is no longer displayed):

ACME connection

Enrolled domains

Then a table lists the domains enrolled in the subscription: Sectigo reference, date of addition, status...

ACME subscription domains

Certificates delivered

Finally, the complete list of certificates issued in the subscription is displayed (TBS reference, domain, serial number, validity dates...)

ACME subscription certificates

Add a domain to an existing subscription

It is possible to add a domain to an existing subscription. In this case, the domain will be billed pro rata for the remaining time on the subscription in question.

To do this:

  • On the details page, click "Add a domain"
  • Enter the FQDN (or *.example.com for a wildcard)
  • The applicable price will be displayed (single or wildcard, prorated based on the remaining subscription time)
  • Click "Add". The domain will be immediately registered and billed

ACME domain addition

The certificates can then be issued via your ACME client, without any further intervention in the Certificate Center.

Delete a domain

It is possible to remove a domain from a subscription at any time.

If this deletion occurs within 30 days of its activation, then the domain is fully refunded.

Warning: If you delete a domain within 30 days of its activation, then all certificates issued for that domain will be automatically revoked by the authority.

To delete a domain, go to the subscription details page and click on the "trash can" icon in the action column.

Automatic subscription renewal

If automatic subscription renewal is enabled:

  • 30 days before expiration, a one-year extension of the subscription is processed by Sectigo
  • Each active domain is billed for a new year

Special case: A certificate issued may have an expiration date after the subscription expires (certificates issued via ACME CaaS are all valid for 3 months). If the corresponding domain (or subscription) is not renewed, the certificate will be revoked on the subscription's expiration date.

Billing

ACME subscriptions and/or domains are debited from the balance for deposit accounts or added to the monthly invoice for monthly payment accounts, just like a regular order. They benefit from the negotiated rates of your account.

In the Certificate Center

Your ACME certificates are easily accessible from the ACME Sectigo CaaS section of your customer area and are also displayed in the "classic" sections. They are easily identifiable by their TBS reference starting with "SGACME-".

ACME clients

There are several ACME clients to choose from, depending on your needs and constraints. You will find a non-exhaustive list here.