SSL automation at RTR

SSL automation at RTR: ACME subscriptions vs DigiCert AuthKey

This article explains the two SSL lifecycle methods available via RTR, how each method is initialized and set up, and where responsibility sits for renewals and reissues.

For the complete API reference, use the RTR API documentation portal: https://dm.realtimeregister.com/docs/api/

Overview: what’s available

ACME subscriptions (Sectigo — DV + OV)

ACME subscriptions provide automated certificate issuance, validation, and lifecycle management via the ACME protocol. A subscription is created for specific domain name(s). Whoever operates the ACME client can obtain certificates for those domains during the subscription period.

Currently supported:

Sectigo DV
Sectigo OV

Other brands are not yet available; work is in progress with the provider.

DigiCert AuthKey (available now)

DigiCert is currently available via AuthKey. This method is not ACME-based. Lifecycle actions such as renewals and reissues are initiated through RTR’s SSL lifecycle endpoints.

DigiCert ACME is planned later.

Comparison

Topic	ACME subscriptions (Sectigo)	DigiCert AuthKey
Automation	Automated via ACME client	Not ACME-based
Setup required	ACME subscription + ACME account registration in a client	SSL lifecycle API usage
Who requests certificates	ACME client operator	Customer-initiated via API
Renew/reissue responsibility	ACME client operator	Customer-initiated via API
Current availability	Sectigo DV + OV	Available now

Enterprise automation options (recommended patterns)

ACME subscriptions are designed for automation, but the automation is executed by the ACME client operator. For larger environments, common setup patterns include:

Centralized ACME operator model: one platform/team runs the ACME client and issues certificates for multiple systems.
Distributed model: each environment/application team runs its own ACME client.
Automation pipelines: integrate ACME issuance into deployment workflows (e.g., configuration management, CI/CD).
Handover model for resellers: create the subscription, then securely hand credentials to the end customer who runs the ACME client.

ACME subscriptions (Sectigo) — initialization and setup

Step 1 — Create an ACME subscription

Create the subscription and securely store the returned ACME account bindings.

API docs: ACME Subscriptions

Example request

<code>POST /v2/ssl/acme
Content-Type: application/json

<code>{
  "customer": "your_customer_handle",
  "product": "your_acme_product",
  "domainNames": ["example.com", "www.example.com"],
  "period": 12,
  "autoRenew": true
}

Notes: customer, product, and period are required fields in the create request schema.

Step 2 — OV validation (when applicable)

For OV subscriptions, an organization validation process may start when needed.

Status becomes PENDING_ORGANIZATION_VALIDATION
Progress can be monitored using info process
Certificates cannot be requested until validation is completed again

Step 3 — Provide ACME credentials to the ACME client operator

The subscription creation returns values required to register an ACME account in an ACME client. Provide these values to whoever operates the ACME client. Treat these credentials as secrets.

Step 4 — Register the ACME account in the ACME client

Use the ACME client vendor documentation for exact flags/parameters.

Example (Certbot registration)

<code>certbot register \
  --server <ACME_DIRECTORY_URL> \
  --eab-kid <EAB_KID> \
  --eab-hmac-key <EAB_HMAC_KEY>

Step 5 — Request certificates for subscribed domain(s)

Once account registration is complete, request certificates for the domain name(s) included in the subscription using the ACME client.

Important:

Issuance and lifecycle automation happens through the ACME client.
Renewal/reissue responsibility sits with the ACME client operator.

ACME lifecycle and statuses

Subscription period and expiry

Subscriptions are pre-paid and valid until expiryDate.
On expiry: subscription is either SUSPENDED or automatically renewed for the configured period.
When SUSPENDED: still renewable.
30 days after expiry: REVOKED (no longer renewable).
Subscriptions deleted within 30 days of creation are refunded automatically.

OV validation refresh

New organization validations start automatically 30 days before current org validation expires.
If not completed in time: status becomes PENDING_ORGANIZATION_VALIDATION and certificate requests are blocked until completed again.

Status values

ACTIVE
SUSPENDED
REVOKED
PENDING_ORGANIZATION_VALIDATION

Recovering ACME credentials (if lost)

API docs: ACME Subscriptions

Example request

<code>POST /v2/ssl/acme/{acmeSubscriptionId}/credentials

No request body is required.

Notes:

For Sectigo, existing credentials are returned.
For other brands, new credentials are created and old invalidated (when those brands become available).

DigiCert AuthKey — initialization and setup

DigiCert AuthKey is not ACME-based. Certificate lifecycle actions such as renewals and reissues are initiated via RTR’s SSL lifecycle endpoints.

Request a certificate (example payload)

API docs: Request certificate

<code>POST /v2/ssl/certificates
Content-Type: application/json

<code>{
  "customer": "your_customer_handle",
  "product": "your_digicert_product",
  "period": 12,
  "csr": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
  "language": "EN"
}

Renew a certificate (example payload)

API docs: Renew certificate

<code>POST /v2/ssl/certificates/{certificateId}/renew
Content-Type: application/json

<code>{
  "period": 12,
  "csr": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
  "language": "EN"
}

Reissue a certificate (example payload)

API docs: Reissue certificate

<code>POST /v2/ssl/certificates/{certificateId}/reissue
Content-Type: application/json

<code>{
  "csr": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
  "language": "EN"
}

Responsibilities (customer-only)

Activity	ACME subscriptions (Sectigo DV + OV)	DigiCert AuthKey
Create / manage	Create and manage ACME subscriptions	Initiate certificate requests via SSL lifecycle endpoints
Store secrets / key data	Store ACME account bindings/credentials securely	Track certificate IDs and related request data securely
Tooling setup	Configure an ACME client (or provide credentials to the ACME client operator)	No ACME client setup
Initial enablement	Register an ACME account in the ACME client using the provided values	Submit certificate requests via `POST /v2/ssl/certificates`
Issue certificates	Request via ACME client for subscribed domains	Request via SSL endpoint
Renew certificates	Handled by the ACME client operator via the ACME client	Initiated via `POST /v2/ssl/certificates/{certificateId}/renew`
Reissue certificates	Handled by the ACME client operator via the ACME client	Initiated via `POST /v2/ssl/certificates/{certificateId}/reissue`
OV validation blocking	Monitor and complete validation when status is `PENDING_ORGANIZATION_VALIDATION`	Not described in provided AuthKey facts
Recover lost ACME credentials	Retrieve via `POST /v2/ssl/acme/{acmeSubscriptionId}/credentials`	Not applicable

Supported ACME clients (examples) and references

RTR provides the subscription credentials; the ACME client operator chooses and runs an ACME client. Common ACME clients include:

Certbot — official docs:
- https://eff-certbot.readthedocs.io/
- https://certbot.eff.org/instructions
win-acme — CLI reference: https://www.win-acme.com/reference/cli
Lego — project documentation: https://github.com/go-acme/lego
Posh-ACME — documentation and EAB guide:
- https://poshac.me/docs/v4/
- https://poshac.me/docs/v4/Guides/External-Account-Binding/

For usage and exact command options, refer to the ACME client vendor documentation.

Recommendation: publish a separate KB page: “ACME client setup guide (RTR)” with client-specific examples and troubleshooting.

Troubleshooting & FAQ

`PENDING_ORGANIZATION_VALIDATION` blocks issuance

If the subscription status is PENDING_ORGANIZATION_VALIDATION, certificates cannot be requested until validation is completed again. Progress can be monitored using info process.

ACME credentials lost

Retrieve credentials using:

<code>POST /v2/ssl/acme/{acmeSubscriptionId}/credentials

Subscription expired

On expiry, the subscription is either suspended or automatically renewed. When suspended it can still be renewed. After 30 days it becomes revoked and can no longer be renewed.

Migration: import an existing certificate

Import existing certificates to maintain overview and support renewals.

API docs: Import SSL certificate

<code>POST /v2/ssl/import
Content-Type: application/json

<code>{
  "customer": "your_customer_handle",
  "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}