ACME-compatible CA
Learn how to connect Hanzo KMS to an ACME-compatible CA to issue certificates.
Concept
Hanzo KMS can connect to any upstream ACME-compatible CA (e.g. Lets's Encrypt, DigiCert, etc.) supporting the ACME protocol to issue certificates back to your end-entities. This integration uses the DNS-01 challenge method as part of the ACME domain validation challenge workflow for a requested certificate.
The upstream ACME-compatible CA integration lets you connect Hanzo KMS to providers by specifying their ACME Directory URL such as:
- Let's Encrypt:
https://acme-v02.api.letsencrypt.org/directory. - DigiCert:
https://acme.digicert.com/v2/acme/directory. - Google GTS:
https://dv.acme-v02.api.pki.goog/directory. - Buypass:
https://api.buypass.com/acme/directory. - ZeroSSL:
https://acme.zerossl.com/v2/DV90. - SSL.com:
https://acme.ssl.com/sslcom-dv-rsa.
When Hanzo KMS requests a certificate from an ACME-compatible CA, it creates a TXT record at _acme-challenge.{your-domain} in your configured DNS provider (e.g. Route53, Cloudflare, Azure DNS, DNS Made Easy, etc.); this TXT record contains the challenge token issued by the ACME-compatible CA to validate domain control for the requested certificate.
The ACME provider checks for the existence of this TXT record to verify domain control before issuing the certificate back to Hanzo KMS.
After validation completes successfully, Hanzo KMS automatically removes the TXT record from your DNS provider.
graph TD
A[ACME-compatible CA] <-->|ACME v2 Protocol| B[Hanzo KMS]
B -->|Creates TXT Records<br>via DNS Provider| C[DNS Validation]
B -->|Manages Certificates| D[End-Entities]We recommend reading about ACME protocol and DNS-01 challenges for a fuller understanding of the underlying workflow.
Workflow
A typical workflow for using Hanzo KMS with an external ACME-compatible CA consists of the following steps:
- Setting up your DNS provider (e.g. Route53, Cloudflare, etc.) with appropriate DNS permissions.
- Creating an App Connection in Hanzo KMS to store credentials for Hanzo KMS to connect to your DNS provider and create/remove DNS records as part of the DNS-01 challenge.
- Registering an External CA in Hanzo KMS with the ACME type and inputting required configuration including the ACME Directory URL of the upstream ACME-compatible CA and the App Connection for your DNS provider.
Once this is complete, you can create a certificate profile linked to the External CA proceed to request a certificate against it.
Guide to Connecting Hanzo KMS to an ACME-compatible CA
In the following steps, we explore how to connect Hanzo KMS to an ACME-compatible CA.
Before registering an ACME-compatible CA with Hanzo KMS, you need to set up an App Connection with the appropriate permissions for Hanzo KMS to perform the DNS-01 challenge with your DNS provider.
If you don’t see a specific DNS provider listed below or need a dedicated one, please reach out to sales@hanzo.ai and we’ll help get that enabled for you.
-
Navigate to your Certificate Management Project > App Connections and create a new AWS connection.
-
Ensure your AWS connection has the following minimum permissions for Route53 DNS validation:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:ListResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/YOUR_HOSTED_ZONE_ID"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/YOUR_HOSTED_ZONE_ID"
],
"Condition": {
"ForAllValues:StringEquals": {
"route53:ChangeResourceRecordSetsRecordTypes": [
"TXT"
]
}
}
}
]
}Replace YOUR_HOSTED_ZONE_ID with your actual Route53 hosted zone ID.
For detailed instructions on setting up an AWS connection, see the AWS Connection documentation.
-
Navigate to your Certificate Management Project > App Connections and create a new Cloudflare connection.
-
Ensure your Cloudflare token has the following minimum permissions for DNS validation:
Account:Account Settings:Read
Zone:DNS:EditFor detailed instructions on setting up a Cloudflare connection, see the Cloudflare Connection documentation.
-
Navigate to your Certificate Management Project > App Connections and create a new Azure DNS connection.
-
Ensure your Azure Service Principal has the DNS Zone Contributor role assigned on the DNS Zone you want to use for validation.
For detailed instructions on setting up an Azure DNS connection, see the Azure DNS Connection documentation.
Navigate to your Certificate Management Project > App Connections and create a new DNS Made Easy connection.
For detailed instructions on setting up a DNS Made Easy connection, see the DNS Made Easy Connection documentation.
To register an ACME-compatible CA, head to your Certificate Management Project > Certificate Authorities > External Certificate Authorities and press Create CA.
Here, set the CA Type to ACME and fill out details for it.
Here's some guidance for each field:
- Name: A slug-friendly name for the ACME-compatible CA such as
lets-encrypt-production. - DNS App Connection: The App Connection from Step 1 used for Hanzo KMS to connect to your DNS provider and create/remove DNS records as part of the DNS-01 challenge in ACME.
- Zone / Zone ID: Enter the Zone / Zone ID for the domain(s) you'll be requesting certificates for.
- Directory URL: Enter the ACME Directory URL for your desired upstream ACME-compatible CA such as
https://acme-v02.api.letsencrypt.org/directoryfor Let's Encrypt. - Account Email: The email address to associate with your ACME account. This email will receive important notifications about your certificates.
- EAB Key Identifier (KID): (Optional) The Key Identifier (KID) provided by your ACME CA for External Account Binding (EAB). This is required by some ACME providers (e.g., ZeroSSL, DigiCert) to link your ACME account to an external account you've pre-registered with them.
- EAB HMAC Key: (Optional) The HMAC Key provided by your ACME CA for External Account Binding (EAB). This key is used in conjunction with the KID to prove ownership of the external account during ACME account registration.
Finally, press Create to register the ACME-compatible CA with Hanzo KMS.
Great! You’ve successfully registered an external ACME-compatible CA with Hanzo KMS. Now check out the Certificates section to learn more about how to issue X.509 certificates using the ACME-compatible CA.
To register an ACME CA with Hanzo KMS using the API, make a request to the Create External CA endpoint:
Sample request
curl 'https://app.kms.hanzo.ai/api/v1/cert-manager/ca/acme' \
-H 'Authorization: Bearer <your-access-token>' \
-H 'Content-Type: application/json' \
--data-raw '{
"projectId": "0fccb6ee-1381-4ff1-8d5f-0cb93c6cc4d6",
"name": "lets-encrypt-production",
"type": "acme",
"status": "active",
"enableDirectIssuance": true,
"configuration": {
"dnsAppConnection": {
"id": "1e5f8c0d-09d2-492c-9b28-469acd8e841b",
"name": "acme-dns-test-connection"
},
"dnsProviderConfig": {
"provider": "route53",
"hostedZoneId": "Z040441124N1GOOMCQYX1"
},
"directoryUrl": "https://acme-v02.api.letsencrypt.org/directory",
"accountEmail": "admin@example.com",
"dnsAppConnectionId": "1e5f8c0d-09d2-492c-9b28-469acd8e841b"
}
}'Sample response
{
"id": "c48b701e-a20c-4a9a-8119-68f54e5fbb05",
"name": "lets-encrypt-production",
"type": "acme",
"status": "active",
"projectId": "0fccb6ee-1381-4ff1-8d5f-0cb93c6cc4d6",
"enableDirectIssuance": true,
"configuration": {
"accountEmail": "admin@example.com",
"directoryUrl": "https://acme-v02.api.letsencrypt.org/directory",
"dnsAppConnection": {
"id": "1e5f8c0d-09d2-492c-9b28-469acd8e841b",
"name": "acme-dns-test-connection"
},
"dnsAppConnectionId": "1e5f8c0d-09d2-492c-9b28-469acd8e841b",
"dnsProviderConfig": {
"provider": "route53",
"hostedZoneId": "Z040441124N1GOOMCQYX1"
}
}
}DNS CNAME Delegation
CNAME delegation is an industry-standard pattern that lets you redirect ACME DNS-01 challenge records to a separate DNS zone. Instead of granting Hanzo KMS write access to your main domain zone, you point _acme-challenge via a CNAME to a dedicated zone where Hanzo KMS creates the TXT records.
How It Works
If you have a CNAME record pointing _acme-challenge.example.com to another domain (e.g., _acme-challenge.ssl.example.com), you configure Hanzo KMS to manage the target zone (e.g., ssl.example.com). Hanzo KMS creates the TXT record in that target zone. During validation, the ACME CA queries _acme-challenge.example.com, follows the CNAME, and finds the TXT record at the delegated location.
To use CNAME delegation, you need to:
- Create a CNAME record in your domain's DNS that points
_acme-challenge.{your-domain}to a target in the zone configured with Hanzo KMS. For subdomains, create additional CNAMEs as needed (e.g.,_acme-challenge.app.example.comCNAME to_acme-challenge.ssl.example.com). - Register the ACME CA in Hanzo KMS with the hosted zone ID of the target zone (e.g.,
ssl.example.comif your CNAME points to_acme-challenge.ssl.example.com).
Hanzo KMS will automatically resolve the CNAME, create the TXT record at the target, wait for DNS propagation, and clean up after validation completes.
Example: Delegating Across DNS Providers
Suppose your primary domain example.com is managed in Cloudflare, but you want Hanzo KMS to perform ACME challenges through a Route53 zone. This is useful when your main DNS provider isn't supported by Hanzo KMS, or when you want to keep your production DNS provider credentials separate from certificate automation.
- Create a dedicated Route53 hosted zone for
acme.example.com, Hanzo KMS needs write permissions here. - Add a CNAME record in Cloudflare pointing
_acme-challenge.example.comto_acme-challenge.acme.example.com. - Create an AWS App Connection in Hanzo KMS with Route53 permissions for the
acme.example.comzone. - Register your ACME CA in Hanzo KMS using the Route53 hosted zone ID for
acme.example.com.
When Hanzo KMS issues a certificate for example.com:
- Hanzo KMS writes the TXT record to
_acme-challenge.acme.example.comin Route53. - The ACME CA queries
_acme-challenge.example.comin Cloudflare, follows the CNAME to Route53, and finds the TXT record. - After validation, Hanzo KMS cleans up the TXT record in Route53.
This way, Hanzo KMS never needs access to your Cloudflare account, it only writes to the dedicated Route53 zone used for ACME challenges.
Common Use Cases
- Least-privilege access: Grant Hanzo KMS write access only to a dedicated subdomain zone instead of your entire domain zone.
- Cross-provider setups: Keep your domain DNS on one provider while using a different, Hanzo KMS-supported provider for ACME challenges.
- Centralized challenge management: Point
_acme-challengeCNAMEs from multiple domains to a single zone for simplified operations.
FAQ
Currently, Hanzo KMS supports DNS-01 validation through AWS Route53, Cloudflare, Azure DNS, and DNS Made Easy. The DNS-01 challenge method is preferred for ACME integrations because it:
- Works with wildcard certificates
- Doesn't require your servers to be publicly accessible
- Can be fully automated without manual intervention
Yes! ACME CAs like Let's Encrypt support wildcard certificates (e.g., *.example.com) when using DNS-01 validation. Simply specify the wildcard domain in your subscriber configuration.
Note that wildcard certificates still require DNS-01 validation - HTTP-01 validation cannot be used for wildcard certificates.
Most ACME providers issue certificates with 90-day validity periods. This shorter validity period is designed to:
- Encourage automation of certificate management
- Reduce the impact of compromised certificates
- Ensure systems stay up-to-date with certificate management practices
Yes. You can register multiple ACME CAs in the same project.
Yes. You can delegate _acme-challenge records to a different DNS zone by setting up a CNAME, then configuring Hanzo KMS to write TXT records in the target zone. See the DNS CNAME Delegation section above for setup instructions.
How is this guide?
Last updated on