Step 2: Install and Configure ACME Client

After creating your ACME Directory URL, the next step is to install and configure a third-party ACME client. The ACME client will use your credentials to securely connect to the ACME server to automate certificate issuance and renewal.

Choosing an ACME Client

Select an ACME client that supports the ACMEv2 protocol. A few popular clients include:

  • Certbot — For Linux and Unix systems
  • win-acme — For Windows environments
  • acme.sh — A lightweight shell script for Unix/Linux systems

Tip: Make sure the ACME client you choose supports External Account Binding (EAB), which is required to authenticate.

Install the ACME Client

Follow the installation instructions specific to your selected ACME client. Here are general examples:

Certbot (Linux/Ubuntu):

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

win-acme (Windows):

  1. Download the latest .zip package from the win-acme releases page .
  2. Extract the files and run the executable.

For detailed instructions, refer to your ACME client’s official documentation.

Configure the ACME Client with Credentials

After installing your ACME client, configure it to use the credentials provided when you created your ACME Directory URL:

  1. Set the ACME Directory URL as the server endpoint (e.g., https://one.digicert.com/mpki/api/v1/acme/v2/directory).
  2. Provide your EAB Key ID and EAB HMAC Key during client account setup.

Tip: Some ACME clients require special flags or configuration files to pass EAB credentials. Always refer to your client’s specific setup guide.

Example: Configuring Certbot

Example Certbot command to request a certificate using EAB credentials:

certbot certonly \
  --server https://one.digicert.com/mpki/api/v1/acme/v2/directory \
  --eab-kid YOUR_EAB_KEY_ID \
  --eab-hmac-key YOUR_EAB_HMAC_KEY \
  -d yourdomain.com

Replace your-acme-directory-url, YOUR_EAB_KEY_ID, YOUR_EAB_HMAC_KEY, and yourdomain.com with your actual values.

Note: This is a basic example that only obtains the certificate (certonly). You’ll need additional parameters based on your specific setup:

  • The type of web server you’re using (e.g., Apache, Nginx)
  • Your preferred domain validation method (DNS or HTTP)
  • Any specific installation requirements for your environment

For complete configuration options, refer to the Certbot documentation .

Next Step

Step 3: Request and Manage ACME certificates »

← Back to Workflow Overview