Prove you are not human -- Take the ACME Challenge

Mike Maxey
Mike Maxey
, 3 min read

Use Acme for private PKI

At the core of automation is the removal of humans from the process. We are slow, lazy, temperamental, and generally distracted aspects of the system. Making humans more efficient or removing them from the process is what has propelled mankind through the ages and unlocked limitless innovation. In a previous post, I wrote about automating internet security with the Let’s Encrypt certificate authority and the massive acceleration of safe web browsing it has delivered. Today we are proud to announce smallstep is an official sponsor of Let’s Encrypt! As we roll out ACME protocol support and give away some free hoodies (see below), we want to thank Let’s Encrypt and the IETF for making it all possible.

Automated Certificate Management Environment (ACME) is a published internet standard, RFC 8555, chartered by the IETF working group. We love standards, but what’s particularly cool about ACME is that it was built to automatically obtain certificates, without any human intervention. Using ACME is a two-step process. First, an Agent must prove it has control over the entity it is requesting a certificate against. Once control is established, step two enables the agent to request and renew certificates on behalf of that entity using PKI fundamentals.

all your base areScreengrab via captaingreedo/YouTube

So how does an agent prove control? It uses one of the ACME Challenges, most commonly the HTTP challenge. It works something like this:

Agent: I would like a certificate for my smallstep.com website, here is my key.

Certificate Authority: Please prove you own that website by putting this random file in that random place.

Certificate Authority: Also please sign this cryptographic nonce to prove you own the key you presented.

Agent: Signs nonce, places file, and signals CA

Certificate Authority: Checks file location and verifies the signature; if both correct, proof of control is established.

It’s a very smart approach to removing humans from the process while keeping proof of control in place. ACME also supports other challenges and the protocol is pluggable in that it can use future challenges not yet standardized. This is where things get interesting for use cases beyond web servers. Secure bootstrapping can be challenging in today’s world of distributed applications and devices (IoT anyone?). One path to solving this challenge could be a new ACME challenge combined with an automated certificate management solution. It’s early days but we are having very interesting conversations at the intersection of these two ideas and welcome your input.

Star step cli
Star step certificates

With smallstep release v0.13.0 we now support the ACME protocol to get certificates from step-ca. This means you can run your own private ACME server to issue certificates to internal services and workloads. We also support existing ACME clients and libraries making step-ca quick to integrate into existing environments. There are a ton of ACME integrations (currently 152 listed) including:

  • Development language libraries and clients for java, .net, ruby, rust, PHP, Python…
  • Platform clients for Docker, Microsoft Azure, IBM Openshift, ngnix…
  • And a client for damn near anything else you will find inside enterprise environments.

Check out a few detailed examples and learn more about our technical implementation by reading Run your own private CA & ACME server using step-ca and, as always, please reach out with any questions or feedback, we are here to help.


What you have just consumed is the latest issue of an ongoing series of Modern Security for Leaders posts. In each edition, I break down a complex security concept into a simple to understand format and highlight where it brings true business value.