ACME to enable Zero Trust for Enterprises

Certificate automation… could that really be secure and is it beneficial for your organisation? The ACME protocol, that was published as RFC 8555 in May 2019, makes a real change where SCEP didn’t really succeed. ACME takes all the steps that a good administrator should and ensures that it is done in a fully automated manner.

Being a forerunner and a trusted advisor in the Identity space puts us at Nexus on the spot to make it easy and secure to issue and manage the lifecycle of identities way beyond the Windows domain. We are talking about enabling certificate automation for any other type of connected device. Many new devices, such as printers and NAS storage devices, also come with support for ACME. The automation enabled by ACME for distributing server certificates really changed the game for universal encryption on the Internet. The ACME protocol is supported by many clients, many of which are open source.

Enabling ACME in our Smart ID offering helps our Enterprise customers to issue and manage identities (certificates) for their servers and devices automatically and instantly and with no human intervention at all.

Automation is crucial to keep critical services up and running

As we are seeing a clear movement toward Zero Trust environments, it is key that even printers, servers, conference systems and all other devices in a network receive an identity based on certificates… basically ensuring that that security can be switched on by default.

Many critical services and servers have already been equipped with certificates proving their identity in a secure way, but they still lack the automation which allows to, for example, renew certificates when the existing ones are expiring or revoke a certificate when needed. Many critical services stop every day due to the simple fact that their certificate has expired, and manual processes are involved.

Some of our customers and prospects estimate the certificate management time for web servers to 30min for initial issuance and renewal when using manual processes (key-pair generation when not having PKI skills, requesting the certificate in an ITSM, validation, correction of erroneous attributes in the CSR, production, delivery and installation on the target). ACME allows them to considerably reduce this delay.

When we now speak to many of our global Enterprise accounts and plan the deployment of ACME in their production environment, we try to share a few common drivers:

  • Full automation of their key and certificate management.
  • Desire to get server-side monitoring and alerting
  • Governance friendly process for requesting certificates to edge devices, printers, etc.
  • Streamline the interaction between requesters and administrators.
  • Aim to use an arbitrary ACME client to interact with private or public trusted CAs.
  • Possibility for hosting SAAS and on-premises due to different needs.
  • Audit friendly reporting to assure compliance, and enhance incident management.

In a simplistic way, ACME enables you to automate the whole identity lifecycle. It all boils down to “automation” and this is the big change that ACME is making to the PKI world. Enabling and empowering servers, devices and infrastructure software to obtain certificates without user interaction brings great security value to the organisations and at the same time, it radically simplifies the deployment of HTTPS and PKIX authentication. In addition, ACME makes it easy to get a backup CA in place and makes it an easy exercise.

Manage the life cycle with Nexus Smart ID

When it comes to the Nexus Smart ID solution, ACME adds great value. Many of our Enterprise customers are now planning to activate the ACME support both in our Certificate Manager as well as in our Credential Management solution.

We have implemented ACME in the same way as certificate enrolment in other protocols. Our solution can be easily configured so that creating ACME accounts is either allowed for all requesting clients or that it requires a pre-registration. If ACME is configured to require pre-registration, then the pre-registration can also contain a list of domain names that are allowed per registration (i.e. example.com and subnet.company.com).

In our Credential Management solution, ACME is used for account handling and life cycle management. Managing account registrations and administration is straight forward here.

It is also important to mention our ACME solution also enables certificates to be issued by a (public) third-party CA such as D-Trust or QuoVadis CA.

Learn more about our Smart ID offer and see also specific technical details on our ACME implementation here.

If you want to discuss with our experts, send us a message here.

 

Published 17/9 2019

News, customer cases and blog posts