Certificate Settings¶
Certificate entries have settings which identify the certificate and how ACME can validate ownership of that identity.
General¶
- Name
A short name for the certificate used as an internal identifier. The ACME package uses this name to create or overwrite a Certificate Manager entry when issuing or renewing the certificate.
- Description
A longer string describing the certificate and its purpose.
- Status
Whether this certificate is considered active.
- Active
This entry will be processed manually and by scheduled renewals (General Settings)
- Disabled
This entry will be ignored
- Private Key
The type and strength of private key to use with this certificate. Can be either RSA or ECDSA in several pre-defined sizes. Select Custom to manually enter a private key generated elsewhere
2048-bit RSA is an acceptable default choice, but larger keys are more secure.
- Last Renewal
Static text output showing the last date and time the ACME package renewed this certificate.
- Renewal Threshold
Days of remaining lifetime at which ACME will renew the certificate. Defaults to 2/3 the lifetime or 30 days if the lifetime cannot be determined. The ACME package ignores this value if it is longer than the certificate lifetime.
Note
Certificate lifetimes vary by ACME server and certificate profile. Check with the ACME servers to determine their validity intervals.
Validation¶
- SAN List
A list of all Subject Alternative Name (SAN) entries to include in this certificate. In most cases these will be fully qualified domain names (FQDNs) such as
www.example.comor wildcard specifications (e.g.*.example.com). ACME servers may support other SANs in certain cases. For example, Let’s Encrypt allows IP Address SANs when using theshortlivedCertificate Profile.SAN entries can use the same or different update methods. The ACME server must individually validate each SAN before it will issue or renew a certificate.
Note
The ACME server may limit the number of SAN entries and their contents. For example, Let’s Encrypt limits a certificate to at most 100 SAN entries. Actalis only allows domain names and
www.hostnames.- Status
Whether this SAN is active in the certificate
- SAN
The value for a SAN entry in this certificate (e.g.
www.example.com)- Validation Method
The method that the ACME server can use to validate ownership of this domain. Method settings are described in (Validation Methods)
Click
Add for additional SAN entriesDNS-based validation methods have common settings which appear for all types:
- DNS Alias
An alternative domain name used by the validation process. Instead of updating the DNS record for Domain Name directly, the package uses this domain name is used instead. See DNS Alias Mode for details.
- DNS Alias Mode
When set, controls whether the DNS alias mode used is Challenge Alias (Unchecked, Default) or Domain Alias (Checked). See DNS Alias Mode for details.
- DNS Sleep
The amount of time the ACME validation process will wait after making DNS changes before attempting to validate. Some DNS services take a few minutes to propagate entries after making backend changes.
The default settings are typically sufficient, but slower providers may require a longer sleep time.
Post-Renew Actions¶
- Actions List
Commands the ACME package runs after the successfully renewing the certificate.
- Status
Whether this action is active.
- Command
Full path to command and arguments, service name, or name of script.
- Method
Defines how the Command is executed by the package.
- Shell Command
The Command is a full path to a shell command and its arguments.
- PHP Command Script
The Command value is run as PHP code.
- Restart Local Service
The name of a local service to restart.
- Restart Remote Service
The name of a remote service to restart via XMLRPC. This utilizes the system XMLRPC sync configuration.
The GUI help text for this option includes several examples of common actions.