What is the ACME Protocol?

ACME (Automated Certificate Management Environment) is a globally recognized, standardized communication protocol designed to fully automate all processes related to digital TLS/SSL certificates. Thanks to ACME, traditional manual generation of Certificate Signing Requests (CSRs), domain ownership validation, and manual certificate deployment on servers are completely eliminated.

Key Benefits for Our Clients

Zero Risk of Expiration

Forget about service disruptions caused by expired certificates. Your server will handle timely renewals automatically in the background.

Maximum Security

Your private keys never leave your server. The Provider does not have access to them, ensuring absolute control over your keys.

Time and Cost Savings

No more manual form filling or waiting for administrator intervention. The entire process takes only a few seconds from execution to deployment.

How the Process Works (ACME Lifecycle)

ACMETo ensure the highest level of trust (OV certificates), the process operates across two concurrent validation layers:

Important Notice: Before starting automation, your company must complete a one-time Pre-registration process. Once your corporate details are verified by our auditors, we will generate EAB (External Account Binding) keys for you to authorize your local ACME client.

One-Time Account Binding (EAB)

Your automated tool (e.g., Certbot) securely registers with our ACME server using the assigned credentials (KID and HMAC). This binds your server to the pre-vetted identity of your organization.

Cryptographic Challenge

When you request a certificate for a specific domain, our ACME server generates a challenge (e.g., placing a specific token on your web server via HTTP or into a DNS record). This proves that you actively control the domain.

Certificate Issuance and Download

As soon as our system verifies completion of the challenge, it checks the validity of your OV profile and immediately generates a digitally signed TLS certificate, which your ACME client downloads and automatically applies.

Disig ACME Server Deviations from the ACME Specification

Although Disig ACME Server tries to implement the ACME specification (RFC 8555) as strictly as possible, there are places where we deviate from the literal wording of this specification for various reasons. Here is a description of the difference between RFC 8555 and the Disig ACME Server's implementation of the ACME protocol, which is available at https://onlineissue.disig.sk/r3i1/tls/acme/v2/OV/directory

Currently, ACME Server deviates from the ACME specification detailed in RFC 8555 in the following ways:

Section 7.4

Disig ACME Server does not accept the optional notBefore and notAfter fields in the body of a newOrder request.

Section 7.4.2

When retrieving certificates, ACME Server does not process Accept headers for the purpose of negotiating the content type(Content-Type).

Configuration Example (Certbot)

Following successful Pre-registration and obtaining your EAB keys, you can use the standard Certbot client on your Linux server to automatically obtain a certificate with a single command:

certbot certonly --non-interactive --agree-tos \
                   --server https://acme.vasaspolocnost.sk/v2/directory \
                   --eab-kid "VAS_KID_KLUCOVY_IDENTIFIKATOR" \
                   --eab-hmac-key "VAS_TAJNY_HMAC_KLUC" \
                   -d www.vasadomena.sk -d vasadomena.sk --webroot -w /var/www/html

This command registers your machine, verifies control over the specified domains, and saves a valid OV TLS certificate directly to your system. A subsequent cron job or systemd timer ensures that verification and renewal run fully autonomously every 30 days.