Enhancing the ACME protocol to automate the management of all X.509 web certificates (Extended version)

Document Type

Article

Source of Publication

Computer Communications

Publication Date

2-27-2025

Abstract

X.509 Public Key Infrastructures (PKIs) are widely used for managing X.509 Public Key Certificates (PKCs) to allow for secure communications and authentication on the Internet. PKCs are issued by a trusted third-party Certification Authority (CA), which is responsible for verifying the certificate requester’s information. Recent developments in web PKI show a high proliferation of Domain Validated (DV) certificates but a decline in Extended Validated (EV) certificates, indicating poor authentication of the entities behind web services. The ACME protocol facilitates the deployment of Web Certificates by automating their management. However, it is only limited to DV certificates. This paper proposes an enhancement to the ACME protocol for automating all types of Web X.509 PKCs by using W3C Verifiable Credentials (VCs) to assert a requester’s claims. We argue that any CA’s requirements for issuing a PKC can be expressed as a set of VCs returned in a Verifiable Presentation (VP) that could facilitate the issuance of high-profile certificates such as EV certificates. We also propose a generic communication workflow to request and present VPs, which interact with our ACME enhancement. In this regard, we present proof of our approach by using the OpenID for Verifiable Presentation protocol (OID4VP) to request and present VPs. To assess the feasibility of our solution, we conduct a complexity analysis, evaluating both computational and communication overhead compared to the standard ACME protocol. Finally, we present an implementation of our solution as proof-of-concept.

ISSN

0140-3664

Publisher

Elsevier BV

Disciplines

Computer Sciences

Keywords

Public key certificate, ACME Automation, Verifiable Credential Data Model, OID4VP

Indexed in Scopus

no

Open Access

no

Link to Full Text

Share

COinS