"Secardeo certACME automates the time-consuming enrollment and renewal of server certificates in an organization and helps to avoid downtimes."

Avoid downtime and lower costs!

• Automatic certificate renewal prevents from outages due to expired certificates.
• Constantly decreasing lifetimes of server TLS certificates need frequent renewals.
• Each manual certificate renewal will cause internal costs.

Certificate enrollment secure & centralized.



• ACME challenge validation via HTTP, DNS, TLS ALPN.
• Apple Device Attestation and MDM Lookup for Intune.
• Whitelisting for DNS or device-IDs.
• ACME approval workflow.
• Validation of central crypto policies.
• External Account Binding & AD enroll permission.
• Certificate management in a central database.
• Auditable certificate management processes.

The lifetime of public TLS certificates is decreasing rapidly down to 47 days in March 2029 at latest. This makes automated certificate management urgently necessary. The unavailability of web servers due to expired certificates can result in massive financial losses. The ACME (Automatic Certificate Management Environment) protocol is used to automate interactions between certification authorities and IT systems. It was originally developed for the free CA service Let's Encrypt. It can be used to issue domain-validated DV certificates.

Secardeo certACME is a proxy for automatically enrolling certificates for servers, clients, or Apple devices using the ACME protocol from private or public CAs. All certificates are stored in the central TOPKI certificate database. This ensures complete control over the certificates and auditable certificate management processes.

Public web servers can, in principle, be connected directly to a public CA via ACME. However, this reduces IT management control and auditability. Connecting via certACME eliminates this problem and further increases security through approval processes, whitelisting, or external account binding. Organization-validated OV certificates can also be issued automatically within the framework of an MPKI contract.

Internal servers or Linux clients, for example, can be easily connected to an existing Microsoft CA (ADCS) or open source CAs such as EJBCA, OpenXPKI, or DogTag with certACME. The use of free CAs such as Let*s Encrypt or ZeroSSL is also possible for internal systems with certACME, as is connection to commercial CAs such as SwissSign, GlobalSign, or AWS.

Apple devices managed by an MDM system such as Intune can also be provided with device certificates via certACME. Apple Device Attestation is used for this purpose, and the device's Secure Enclave can be used for highly secure key pair generation. The device status is also checked by retrieving it from the MDM system or a whitelist. This achieves a significantly higher level of security than was possible using the old SCEP protocol.

certACME integrates seamlessly as a Microsoft IIS web application and acts as an ACME server for ACME clients. certACME uses local or AD certificate templates. It validates certificate requests using an HTTP, DNS, or TLS ALPN challenge and forwards the CSR to the connected public or private certification authority (CA), which can also include multiple CAs. Compliance with a defined crypto policy can be validated. Optionally, certACME extends a CSR with company attributes such as organization, country, and organizational unit. certACME stores all certificates in a local or central SQL database. certACME automatically sends configurable notifications to certificate managers and administrators.