Ready to talk ACME? We are!
Author: Chin Jien Lau and Joerg Dettmann, CTO
Previous << evolutionID
Our Versasec tech team recently announced our identity and access management solutions now support the Automatic Certificate Management Environment communications protocol (ACME). To ensure all is well, we have tested vSEC:CMS with several ACME clients. In this blog, I have interviewed our Chief Technology Officer, Joerg Dettmann, to discuss ACME and its benefits for Versasec customers.
Q: Please quickly define ACME for our readers who may not be familiar with the protocol.
A: As its name (Automatic Certificate Management Environment) implies, ACME is a great tool for cybersecurity as it removes many of the manual processes in verifying domain names for user access. Without the protocol and the automation it provides, some companies simply do not verify their domain names and lose that critical layer of security. While automating takes some initial effort, once it’s in place it saves a lot of time. While the manual method could take about 15 minutes per certificate, ACME’s automated method makes server and device certificate management easy...
The protocol was designed by the Internet Security Research Group (ISRG) for its public certificate authority (CA) called Let’s Encrypt. It is now a published Internet Standard in RFC -- and known as RFC555 -- by an Internet Engineering Task Force (IETF) working group.
Q: What are the overarching benefits in working with ACME for Versasec customers?
A: Our vSEC:CMS customers will gain many advantages by using ACME. Chief among them is that by automating and managing the interactions between ACME clients, such as web servers and other devices and certificate authorities (CAs), it becomes easier and more cost effective for those customers who are deploying public key infrastructure (PKI) to verify domain names.
By having everything on one unified platform, in which ACME certification happens through vSEC:CMS, we’ve made the process of certification and managing the user and web server and other device credentials even easier.
Q: Talk a little about some of the other key benefits for ACME users.
A: There are a variety of functional benefits that have our users excited. These include certificate revocation, complete automation for managing keys and certificates, improved processes that speed certificate requests for edge/IoT devices, easier traceability, and improved notifications and reporting.
We also can assure them they will find there are easier interactions between administrators and requesters, server-side alerts and monitoring, and more.
Q: Let’s explore the IoT angle a bit more here. Does this help Versasec provide easier management for user identifies for connected and edge IoT devices?
A: By incorporating ACME with vSEC:CMS, we are providing a standardized interface and new possibilities for automating certificate management. We feel this process is a good initial step in opening the door for certificate management for other devices, such as edge devices.
Q: What did your engineering team have to do so vSEC:CMS would work with ACME?
A: We were happy to support this protocol because of the benefits we’ve already discussed here. After adding an additional ACME connector to vSEC:CMS so it could interact with the protocol, our team joined the connector with existing components and features within vSEC:CMS, including our existing CA connections, repositories and transaction logs, operator roles / permission management functions. Following that work, we then tested our ACME-compliant (RFC 8555) vSEC:CMS server with two of the major certification clients. The results showed us that Versasec clients implementing RFC 8555 should work very well with our ACME server. Here is a video we’ve created that demonstrates the use of the vSEC:CMS ACME implementation by having 3 different simulated IoT devices being issued PKI credentials.
Q: Which clients are supported?
A: We tested with two large and common clients: Certbot (https://certbot.eff.org/) and win-acme (https://www.win-acme.com/) so we could be assured vSEC:CMS with ACME would work well for other clients as well. We encourage our customers not using Certbot or win-acme to try the new support for ACME in vSEC:CMS. Any problems they might encounter likely can be fixed by us with a simple tweak so customers should reach out to us to whatever help they need.
Q: For vSEC:CMS users specifically, how does adding ACME into the certificate management change things?
By adding ACME into our certificate management, we're providing a powerful, flexible configuration, monitoring and management for ACME. Here are a few of the things having ACME helps us do:
- Offers email notifications to alert when administrator and/or operator server certificates are ready to expire or when certificates have not been renewed properly.
- Expands configuration benefits. For example, using the operator console, an administrator can configure ACME with a graphical user interface (GUI).
- Extends audit capabilities, so users may monitor or audit/trace the transaction log, approve account creation requests, verify and monitor orders processing progress and more. This benefit is especially important for larger organizations.
- Automation eliminates human errors and guarantees things are managed in the way they have been designed or configured. Working with vSEC:CMS makes this a natural extension of our product.
Q: What are your plans going forward with ACME?
A: Now that the addition of ACME is complete, we will await feedback from our customers. Their valuable input along with our planned roadmap helps us determine the top priorities for our next steps.
Q: How should readers of this blog get in touch with us if they are ready to talk ACME?
A: They can reach out to us here and click on the "Chat" option.