Automated Certificate Management Environment (ACME)
It is strongly recommended that services utilize certificate automation via ACME where possible to avoid preventable service disruptions caused by expired SSL/TLS certificates.
Public-facing services available outside the campus network should use the public Let’s Encrypt service. Let’s Encrypt certificates are free to use and include robust automation via ACME as part of the service offering.
Internal applications and services can use the same protocol as Let’s Encrypt (ACME) to retrieve certificates from the existing InCommon/Sectigo service operated by Technology Services; certificate renewals using ACME are automated and don’t require requests. A list of compatible ACME clients for various platforms are available in Let's Encrypt's Documentation.
Due to the potential security risks it would pose to the organization, we will not be adding the wildcard *.tamu.edu domain to any ACME accounts. Accounts will only be granted access to subdomains under the requesting department's control.
Request an ACME Account
We will need the following information to process an ACME Account Request:
- Technical Contact(s)
- Technology Services Vertical (Security & Risk, Architecture & Engineering, etc)
- Which team within the vertical the account is for (if applicable)
- Domain(s) the account will be used for
Upon processing your request, we will provide you with the endpoint URL, KeyID, and HMAC key for use in your ACME client.
It is crucial to keep these values private, as they enable access to issue certificates on your behalf. Treat them with the same care as application secrets and passwords - store them securely, restrict access, and do not share them outside those who require them on your team.