Frequently Asked Questions
Does the GlobalSign ACME service support sub-domains?
Yes, using the DNS or EMAIL validation methods, the GlobalSign ACME server will issue certificates for subdomains. If you request a certificate for a subdomain, and the parent domain has already been verified through a separate certificate request, then the subdomain certificate will be issued without having to provide domain authorization for the subdomain.
The DNS validation method can be used directly through your ACME client. You may also validate the parent domain in the Atlas portal using the DNS or EMAIL validation method; the domain claim created as a result will be honored by our ACME server.
Note that www.example.com is a subdomain of example.com and requires its own SAN entry but not its own validation if you have already verified example.com.
Does the GlobalSign ACME service support wildcard certificates?
Yes, using the DNS or EMAIL validation methods, the GlobalSign ACME server will issue certificates for wildcards.
The DNS validation method can be used directly through your ACME client. You may also validate the parent domain in the Atlas portal using the DNS or EMAIL validation methods; the domain claim created as a result will be honored by our ACME server.
How long does my domain remain validated?
Once you validate a domain, you may continue to issue certificates with that SAN for up to 398 days. Note that this period may change due to CA/Browser Forum requirements at any time.
What ACME clients work with the GlobalSign ACME service?
We have confirmed that the following ACME clients work seamlessly with the GlobalSign ACME service with little to no client configuration changes.
| ACME Client | Supported Platform | URL |
|---|---|---|
| Certbot | Linux macOS BSD |
https://certbot.eff.org |
| win-acme |
Windows |
https://www.win-acme.com |
| simple-acme | Windows | https://simple-acme.com/ |
| dehydrated | Linux | https://dehydrated.io |
| Certify The Web | Windows | https://certifytheweb.com/ |
| acme.sh | Linux macOS Windows BSD |
https://github.com/acmesh-official/acme.sh |
| Lego | Linux | https://go-acme.github.io/lego/ |
What is the MAC key?
The MAC key is a shared secret between ACME client and the GlobalSign ACME server, which permits you to bind your specific ACME client public key to your Atlas account (more precisely, to your API credential within your Atlas account). This action is called External Account Binding (EAB). The MAC key is only used for this purpose; it is not required for other ACME client requests.
When you generate a MAC key through the Atlas portal, copy and paste it somewhere secure. This will be your only opportunity to do this as we do not store the key and you will not be able to view your MAC key again in the Atlas portal.
To reduce the risk of MAC key compromise or abuse, each MAC key can be used for a maximum of 30 days or up to 1000 times. The validity and remaining uses are shown on the API credential card in the Atlas portal.
In the event that the MAC key is inadvertently disclosed or compromised, or it expires or has been used the maximum number of times, you can generate a new MAC key through the Atlas portal. This will overwrite the original MAC key, but any ACME clients that used the original MAC key will continue to make requests as normal. If the original MAC key is compromised, you may want to consider redoing EAB with any ACME clients that have used that MAC key with a new one.
If you need to disable an affected client, you will need to get a new API and MAC key from the Atlas portal, re-bind the ACME client with the new credentials, and then revoke the original credentials in the Atlas portal.
What domain validation methods are supported?
The HTTP domain validation method (http-01) and DNS validation method (dns-01) are currently supported.
How can I best view and manage the certificates I’m issuing with my ACME client?
ACME is designed to automatically renew and deploy public trust TLS certificates, which is especially important with lessening public trust TLS certificates’ validity periods. You can accomplish all basic lifecycle management functions direction from your ACME client.
You can also use the GlobalSign Atlas portal to view and manage the certificates you have issued and domains that have been validated via ACME. In this way, Atlas provides centralized management of your certificates and domains, as well as ACME credentials and other important account details.
Troubleshooting
I misplaced my API credentials. What do I do?
You can retrieve your API key from the Atlas portal by navigating to Access Credentials > API Credentials and then locating your API key in a credential card. We do not store MAC keys, so if that has been lost then you will need to request a new one in the Atlas portal.
I get an error when I try to issue a certificate or validate a domain. What do I do?
Please contact GlobalSign Support and include any error messages you’re receiving and the debug log so we can help resolve the issue.
I got an error about the CSR in my certificate request. What do I do?
GlobalSign will only accept CSRs signed with a minimum SHA-256 signature algorithm. If you encounter an error when requesting a certificate that seems to indicate a problem with the signature algorithm, you may need to modify the ACME client config files to specify using a SHA-256 signature algorithm or generate your own CSR and instruct the client to use that instead.