Sectigo Delivers Automated CLM for Apache HTTP Web Server Users

The Challenge

Apache is one of the world's most popular webservers with a market share of 30.8%, according to W3Techs. However, until recently, enterprises could not use their legacy certificate management solutions to issue credentials and automate the installation of certificates to their Apache HTTP servers using the industry standard, Automated Certificate Management Environment (ACME) securely. That’s because External Account Binding was not available between the Certificate Authority and the web server without installing additional third-party software. The certificate management platform could be notified of a newly installed certificate, enabling it to be monitored, but it wasn’t possible to natively automate the installation process tied to the certificate management account.

Some certificate management solutions offer ways to help with automation via third-party software. However, this is time-consuming and causes administration overhead, because this software must be installed and managed by the end-users. Even a minimal manual certificate installation on a single Apache webserver and domain instance involves nine steps and can easily add up to several hours of work for IT administrators. Each step introduces the opportunity for error and security risks.

The end-to-end process of manual certificate issuance, configuration, and deployment is not the only problem Apache administrators face. Manually monitoring, revoking, and renewing certificates also creates unavoidable gaps in ownership, leading to non-compliant certificates deployed or certificates being forgotten until expiration.

It’s no wonder that mismanagement of digital certificates has become a leading cause of sudden outages, breaches, or failure of critical business systems, such as recent outages at Shopify, Intuit Quickbooks, and Fortinet. Additionally, a number of high-profile incidents in which attackers have been able to exploit vulnerabilities in the certificate management process have made headlines.

To address these concerns, the CA/Browser Forum has introduced standards that require public certificates to have a lifespan no longer than 398 days. Yet, this near-annual lifespan requirement only increases the frequency of certificate revocation and renewal procedures, putting further burdens on those organizations managing certificates manually. The risk is too high to rely on manual processes.

The Solution

To address this challenge, Sectigo now provides full CLM for Apache web servers and load balancers. Sectigo developers have collaborated with the Apache community to add support for External Account Binding in ACME for the Apache HTTP Server and have released it to the community for wide-scale adoption. This means Apache’s built-in ACME can now be used to automatically deploy certificates issued by Sectigo to Apache servers and load balancers both inside and outside firewalls. Enterprises can report and manage all certificates on their Apache HTTP server within SCM.

There is no longer a need to install a custom software agent on-premises because the External Account Binding in the ACME protocol is implemented directly into Apache HTTP Server. This removes the need to configure and manage passwords for server access and significantly reduces costs and the risk of certificate installation errors.

Furthermore, the use of ACME is an open standard, so the enterprise is not locked into a proprietary agent implementation. This gives companies the freedom to choose the CLM platform that best meets their needs.

Certificates establish digital trust for businesses to run every second of the day in this increasingly digital world. Automated CLM is crucial, and the future of certificate automation is with ACME. That’s why Sectigo is proud to extend support of External Account Binding in ACME to the Apache user base.

Learn more in the datasheet, Sectigo Certificate Integration for Apache Using ACME.