ACME External Account Binding new
4 minute read
POST
Use this endpoint to generate an External Account Binding (EAB) key for use with DigiCert’s ACME (Automated Certificate Management Environment) service. You can generate a key identifier and an HMAC key. Use these credentials with an ACME client that supports EAB (like CertBot) to automate the deployment of DV, OV, and EV TLS/SSL certificates.https://www.digicert.com/services/v2/key/acme-eab/tlm
Warning
We only display your EAB credentials once. You cannot recover lost EAB credentials. If you lose access to your credentials, you must regenerate them.Use the new version of the CertCentral ACME service!
To generate a key identifier and HMAC key for ACME External Account Binding (EAB), use this endpoint going forward: ACME External Account Binding -new! On February 24, 2026, DigiCert will retire the legacy CertCentral ACME service, including the legacy ACME endpoint, ACME External Account Binding – legacy.
Why is DigiCert retiring the legacy CertCentral ACME service?
The new CertCentral ACME service offers significant upgrades over the legacy version, including:
- Support for DV TLS products
- ACME domain control validation for all TLS products
- Support for ACME Renewal Information (ARI)
- Dynamic detection logic (see ACME automation actions)
- Compliant with ACME v2 Standard as specified in RFC-8555
Learn more about the latest CertCentral ACME automation features.
Certificates with the CanSignHTTPExchanges extension
If the certificate profile option (see Certificate profile options) for HTTP Signed Exchange is enabled for your CertCentral account, you can use ACME to automate deployment for certificates with the CanSignHTTPExchanges extension. For most accounts, this certificate profile option is not enabled by default. To enable this option, contact your account representative or DigiCert Support.
Related topics
- For more information about using ACME to automate the deployment of your DigiCert TLS/SSL certificates, see Use a third-party ACME client for host automations.
- For information about the ACME credentials that already exist for your account, use the List keys endpoint.
Example requests and responses
cURL
curl -X POST \
'https://www.digicert.com/services/v2/key/acme-eab/tlm' \
-H 'X-DC-DEVKEY: {{api_key}}' \
-H 'Content-Type: application/json' \
-d '{
"name": "ACME integration",
"product_name_id": "ssl_basic",
"organization_id": 946767,
"validity_years": 1
}'
201 Created
{
"acme_directory_url": "https://one.digicert.com/mpki/api/v1/acme/v2/directory",
"ext_act_kid": "PAtzxcSFQMQSdm9SLJTxCt0hwvvl5yNKPfnWBWqPk8o",
"ext_act_hmac": "ZndUSkZvVldvMEFiRzQ5VWNCdERtNkNBNnBTcTl4czNKVEVxdUZiaEdpZXZNUVJBVmRuSFREcDJYX2s3X0NxTA"
}
Request parameters
| Name | Req/Opt | Type | Description |
|---|---|---|---|
| name | required | string | Friendly name to associate with the credentials. |
| product_name_id | required | string | Product identifier for the type of certificate you want to issue with ACME. Allowed values: See Glossary – Product identifiers. |
| organization_id | conditional | int | ID of the organization to issue certificates for. Note |
| validity_years | required | int | Validity period (in years) for certificates issued with these credentials. Allowed values: 1-3, depending on the certificate type. Public TLS/SSL certificates have a maximum validity of 1 year. Private SSL certificates have a maximum validity of 3 years. |
| validity_days | optional | int | Validity period (in days) for certificates issued with these credentials. Overrides validity_years. |
| profile_option | optional | string | Certificate profile option to enable for these credentials. Allowed values: http_signed_exchange Important: Per industry standards, certificates that include the HTTP Signed Exchange extension have a 90-day maximum validity. If you enable the http_signed_exchange profile option, set the validity period of the order and the certificate to 90 days or less to avoid charges for extra days on the certificate orders. |
| container_id | conditional | int | ID of the container to issue certificates for. Note |
| custom_fields | conditional | array | List of objects with values for account-specific custom fields. Whether these fields are required depends on your custom field settings. |
| .. metadata_id | required | int | Custom field ID. To get the ID values for your custom fields, use the List custom fields endpoint. |
| .. value | required | string | Value for the custom field. Data validation type depends on your custom field settings. |
| ca_cert_id | optional | string | ID of the intermediate certificate authority (ICA) that should sign certificates issued with these credentials. |
| order_validity_days | optional | int | Custom validity period (in days) of the orders you use these credentials to create. For accounts with Multi-year Plans enabled, order validity determines the length of the plan. If not provided, order validity matches certificate validity. |
| order_validity_years | optional | int | Custom validity period (in years) for the orders you use these credentials to create. For accounts with Multi-year Plans enabled, order validity determines the length of the plan. If not provided, order validity matches certificate validity. |
Response parameters
| Name | Type | Description |
|---|---|---|
| acme_directory_url | string | ACME directory resource URI. |
| ext_act_kid | string | Key identifier for the external account. |
| ext_act_hmac | string | HMAC key for the external account. |
Was this page helpful?
Provide feedback