Skip to main content

ACME External Account Binding - new

POST https://www.digicert.com/services/v2/key/acme-eab/tlm

Use this endpoint to generate a key identifier and HMAC key for ACME External Account Binding (EAB). Use these credentials with an ACME client that supports EAB (like CertBot) to automate the deployment of DV, OV, and EV TLS/SSL certificates.

Danger

We only display your EAB credentials once. You cannot recover lost EAB credentials. If you lose access to your credentials, you must regenerate them.

New version of the CertCentral ACME service

To generate a key identifier and HMAC key for ACME External Account Binding (EAB), DigiCert recommend using this new endpoint going forward—ACME External Account Binding - new.

On January 30, 2024, DigiCert released a new version of the CertCentral ACME service with support for the following:

  • ACME-based automation for DV certificates.

  • Dynamic domain control validation checks via the ACME protocol.

  • Automatic selection of the certificate action (enroll/renew/reissue/duplicate), with the ability to override and force a new enrollment.

Any ACME credentials created in CertCentral before January 30, 2024, using the legacy ACME External Account Binding endpoint, do not support the features above and are considered legacy credentials. DigiCert recommends replacing the "legacy" ACME credentials in your ACME API integrations with new ACME credentials.

For more information about this change, see Use legacy CertCentral ACME credentials.

Certificates with the CanSignHTTPExchanges extension

If the certificate profile option (see Certificate profile options) for HTTP Signed Exchange is enabled for your CertCentral account, you can use ACME to automate deployment for certificates with the CanSignHTTPExchanges extension. For most accounts, this certificate profile option is not enabled by default. To enable this option, contact your account representative or DigiCert Support.

Example requests and responses

Request parameters

Name

Req/Opt

Type

Description

name

required

string

Friendly name to associate with the credentials.

product_name_id

required

string

Product identifier for the type of certificate you want to issue with ACME.

Allowed values: See Glossary – Product identifiers.

organization_id

conditional

int

ID of the organization to issue certificates for.

Note

  • Required for OV and EV SSL certificates. Must be a pre-validated OV or EV organization.

  • Not required for DV SSL certificates. Must not include in DV requests.

validity_years

required

int

Validity period (in years) for certificates issued with these credentials.

Allowed values: 1-3, depending on the certificate type. Public TLS/SSL certificates have a maximum validity of 1 year. Private SSL certificates have a maximum validity of 3 years.

validity_days

optional

int

Validity period (in days) for certificates issued with these credentials. Overrides validity_years.

profile_option

optional

string

Certificate profile option to enable for these credentials.

Allowed values: http_signed_exchange

Important: Per industry standards, certificates that include the HTTP Signed Exchange extension have a 90-day maximum validity. If you enable the http_signed_exchange profile option, set the validity period of the order and the certificate to 90 days or less to avoid charges for extra days on the certificate orders.

container_id

conditional

int

ID of the container to issue certificates for.

Note

  • If not provided, certificates are issued for the container ID of the user associated with the API key in the request header.

  • Required for generating ACME credentials that use product settings associated with a specific container in your account.

custom_fields

conditional

array

List of objects with values for account-specific custom fields. Whether these fields are required depends on your custom field settings.

.. metadata_id

required

int

Custom field ID. To get the ID values for your custom fields, use the List custom fields endpoint.

.. value

required

string

Value for the custom field. Data validation type depends on your custom field settings.

ca_cert_id

optional

string

ID of the intermediate certificate authority (ICA) that should sign certificates issued with these credentials.

order_validity_days

optional

int

Custom validity period (in days) of the orders you use these credentials to create. For accounts with Multi-year Plans enabled, order validity determines the length of the plan. If not provided, order validity matches certificate validity.

order_validity_years

optional

int

Custom validity period (in years) for the orders you use these credentials to create. For accounts with Multi-year Plans enabled, order validity determines the length of the plan. If not provided, order validity matches certificate validity.

Response parameters

Name

Type

Description

acme_directory_url

string

ACME directory resource URI.

ext_acct_kid

string

Key identifier for the external account.

ext_acct_hmac

string

HMAC key for the external account.