ACME contract management
Use the ACME Contract Management endpoints to create and manage ACME contracts for automated SSL/TLS certificate provisioning. These endpoints let you create ACME contracts, retrieve contract details, update contract settings, manage SANs, and cancel contracts.
For an overview of the Partner Subscriptions API, see Partner Subscriptions API.
Why use it?
- Create ACME contracts for automated SSL/TLS certificate provisioning.
- Retrieve ACME contract details, including SANs, organization validation status, auto-renewal status, and contract status.
- Retrieve certificates associated with an ACME contract.
- Update ACME contract organization data and auto-renewal settings.
- Add or remove Subject Alternative Names (SANs) from an ACME contract.
- Manage ACME credentials for an ACME contract.
- Cancel ACME contracts.
- Retrieve the ACME directory URL and External Account Binding (EAB) credentials when creating or regenerating credentials.
Resource URL
Use the Partner Subscriptions API ACME contract management resource URL to construct ACME Contract Management requests.
https://www.digicert.com/partner-subscription/api/v1/acme/
Authentication and API key scope
ACME Contract Management endpoints require authentication with a subaccount Partner Subscriptions API key.
Include this header to use the subaccount Partner Subscriptions API key in the API request:
X-PARTNER-APIKEY: {{subaccount_partner_api_key}}
Endpoints in this section
| Method | Endpoint | Description |
|---|---|---|
POST | /acme | Create an ACME contract. |
GET | /acme/{acme_contract_id} | Get ACME contract details. |
PUT | /acme/{acme_contract_id} | Update an ACME contract. This is a full replacement. |
PATCH | /acme/{acme_contract_id} | Partially update an ACME contract. |
DELETE | /acme/{acme_contract_id} | Cancel an ACME contract. |
PUT | /acme/{acme_contract_id}/sans | Add SANs to an ACME contract. |
DELETE | /acme/{acme_contract_id}/sans | Remove SANs from an ACME contract. |
GET | /acme/{acme_contract_id}/certificates | Retrieve certificates for an ACME contract. |
GET | /acme/{acme_contract_id}/credentials | List ACME credentials. |
POST | /acme/{acme_contract_id}/credentials/revoke | Revoke all active ACME credentials. |
POST | /acme/{acme_contract_id}/credentials/revoke/{credential_id} | Revoke an ACME credential. |
POST | /acme/{acme_contract_id}/credentials/regenerate | Regenerate ACME credentials. |
Supported products
The following product_name_id values are supported when creating an ACME contract. The product determines the certificate validation type and organization requirements.
DV products
product_name_id | Product name |
|---|---|
ssl_dv_rapidssl | RapidSSL DV Subscription |
ssl_dv_geotrust_flex | GeoTrust DV Subscription |
ssl_dv_thawte | Thawte DV Subscription |
wildcard_dv_rapidssl | RapidSSL DV Wildcard Subscription |
OV products
product_name_id | Product name |
|---|---|
ssl_geotrust_truebizid | GeoTrust OV Subscription |
ssl_thawte_webserver | Thawte OV Subscription |
ssl_basic | Basic OV Subscription |
ssl_securesite_flex | Secure Site OV Subscription |
ssl_securesite_pro | Secure Site Pro OV Subscription |
EV products
product_name_id | Product name |
|---|---|
ssl_ev_geotrust_truebizid | GeoTrust EV Subscription |
ssl_ev_thawte_webserver | Thawte EV Subscription |
ssl_ev_basic | Basic EV Subscription |
ssl_ev_securesite_flex | Secure Site EV Subscription |
ssl_ev_securesite_pro | Secure Site Pro EV Subscription |
Contact requirements when creating or updating organizations
| Product type | Contact requirements |
|---|---|
| DV | No organization contacts required. |
| OV | organization_contact is required. technical_contact is optional. |
| EV | organization_contact and at least one verified_contact are required. technical_contact is optional. |
- For EV products, all verified contacts must include
telephoneandjob_title. - Contact information may be required when creating or updating organization details for OV and EV subscriptions. Contact information is accepted in requests but is not returned in ACME contract responses.
Requests and methods
All ACME Contract Management requests use RESTful URLs and header-based authentication. Where a request body is required, the endpoint accepts JSON data.
ACME Contract Management uses these standard HTTP methods:
GETPOSTPUTPATCHDELETE
Auto-renewal
Use the auto_renew parameter to enable or disable automatic renewal of an ACME contract.
When creating an ACME contract, set auto_renew to true to opt in to automatic renewal. If omitted, auto_renew defaults to false.
To update the auto-renewal setting after contract creation, use the Partially update ACME contract endpoint. This lets you change auto_renew without resubmitting organization details.
Managing SANs
Use SAN management endpoints to add or remove Subject Alternative Names from an existing ACME contract.
| Endpoint | Request body fields | Description |
|---|---|---|
PUT /acme/{acme_contract_id}/sans | sans | Add domain names to an existing ACME contract. |
DELETE /acme/{acme_contract_id}/sans | sans | Remove domain names from an existing ACME contract. |
SAN requests use this field:
| Field | Type | Required | Description |
|---|---|---|---|
sans | array[string] | Yes | Array of domain names to add or remove. |
Canceling ACME contracts
Use DELETE /acme/{acme_contract_id} to cancel an existing ACME contract.
Canceling a contract permanently deactivates the contract and stops certificate issuance under it.
Cancellation within 30 days
If the contract is canceled within 30 days of creation, the following actions are irreversible:
- The ACME directory URL associated with the contract becomes inactive.
- ACME clients configured to use the contract can no longer issue or renew certificates.
- SANs associated with the contract are released.
- Eligible SANs are refunded on a per-SAN basis.
Cancellation outside the 30-day refund window
If the contract is older than 30 days, the endpoint returns 400 Bad Request.
To disable automatic renewal for an ACME contract outside the 30-day refund window, use the PATCH /acme/{acme_contract_id} endpoint to set auto_renew to false.
Responses
ACME Contract Management responses return ACME contract data in JSON format.
Common response codes
| Status code | Description |
|---|---|
200 OK | Request succeeded and returned ACME contract data. |
201 Created | ACME contract created successfully. |
204 No Content | Request succeeded and the response does not include a body. |
400 Bad Request | The request data is invalid, the contract has been canceled and cannot be modified, or the requested operation is not allowed. |
403 Forbidden | Access denied. |
404 Not Found | The ACME contract was not found. |