ACME External Account Binding

POST
https://www.digicert.com/services/v2/key/acme-eab

Use this endpoint to generate a key identifier and HMAC key for ACME External Account Binding (EAB). Use these credentials with an ACME client that supports EAB (like CertBot) to automate the deployment of OV or EV TLS/SSL certificates.

We only display your EAB credentials once. You cannot recover lost EAB credentials. If you lose access to your credentials, you must regenerate them.

Certificates with the CanSignHTTPExchanges extension

If the certificate profile option (see Certificate profile options) for HTTP Signed Exchange is enabled for your CertCentral account, you can use ACME to automate deployment for certificates with the CanSignHTTPExchanges extension. For most accounts, this certificate profile option is not enabled by default. To enable this option, contact your account representative or the Support team.

Related topics

Example requests and responses

cURL
curl -X POST \
   'https://www.digicert.com/services/v2/key/acme-eab' \
   -H 'X-DC-DEVKEY: {{api_key}}' \
   -H 'Content-Type: application/json' \
   -d '{
     "name": "ACME integration",  
     "product_name_id": "ssl_basic",
     "organization_id": 946767,
     "validity_years": 1,
   }'
201 Created
{
    "acme_directory_url": "https://acme.digicert.com/v2/acme/directory/",
    "ext_act_kid": "PAtzxcSFQMQSdm9SLJTxCt0hwvvl5yNKPfnWBWqPk8o",
    "ext_act_hmac": "ZndUSkZvVldvMEFiRzQ5VWNCdERtNkNBNnBTcTl4czNKVEVxdUZiaEdpZXZNUVJBVmRuSFREcDJYX2s3X0NxTA"
}

Request parameters

Name Req/Opt Type Description
name required string Friendly name to associate with the credentials.
product_name_id required string Product identifier for the type of certificate you want to issue with ACME.
Allowed values: See Glossary – Product identifiers.
organization_id required int ID of the organization to issue certificates for.
Must be a pre-validated OV or EV organization.
validity_years required int Validity period (in years) for certificates issued with these credentials.
Allowed values1-3, depending on the certificate type. Public TLS/SSL certificates have a maximum validity of 1 year. Private SSL certificates have a maximum validity of 3 years.
validity_days optional int Validity period (in days) for certificates issued with these credentials.
Overrides validity_years.
profile_option optional string Certificate profile option to enable for these credentials.
Allowed values: http_signed_exchange
Important: Per industry standards, certificates that include the HTTP Signed Exchange extension have a 90-day maximum validity. If you enable the http_signed_exchange profile option, set the validity period of the order and the certificate to 90 days or less to avoid charges for extra days on the certificate orders.
container_id optional int ID of the container to issue certificates for.
custom_fields optional* array List of objects with values for account-specific custom fields.
*Whether these fields are required depends on your custom field settings.
..
metadata_id
required int Custom field ID.
To get the ID values for your custom fields, use the List custom fields endpoint.
.. value required string Value for the custom field.
Data validation type depends on your custom field settings.
ca_cert_id optional string ID of the intermediate certificate authority (ICA) that should sign certificates issued with these credentials.
order_validity_days optional int Custom validity period (in days) of the orders you use these credentials to create. For accounts with Multi-year Plans enabled, order validity determines the length of the plan.
If not provided, order validity matches certificate validity.
order_validity_years optional int Custom validity period (in years) for the orders you use these credentials to create. For accounts with Multi-year Plans enabled, order validity determines the length of the plan.
If not provided, order validity matches certificate validity.

Response parameters

Name Type Description
acme_directory_url string ACME directory resource URI.
ext_acct_kid string Key identifier for the external account.
ext_acct_hmac string HMAC key for the external account.