Hint: Please read the main article on server certificates first. This also explains what ACME is

To obtain a certificate through ACME and install it on the server, an ACME client is required. We describe a client for Linux and Windows. Information about other ACME clients can be found here: https://acmeclients.com

The ACME clients described below can integrate into an existing wbserver or can set up a temporary web server for the domain validation that's part of the certificate issuance process.

Certbox on Linux

Installation:

Debian/Ubuntu:

sudo apt install certbot python3-certbot-apache

OpenSuSE/SLES:
```
sudo zypper install python3-certbot python3-certbot-apache 
```
- if "nginx" is used one the server, install python3-certbot-nginx instead

Issue a certificate:

certbot run -m AMIN-EMAIL@tu-dresden.de --server https://acme.pki.cert.tu-dresden.de/ -d example1.cert.tu-dresden.de -d example2.tu-dresden.de

The parameter “-d” is used to specify the host names/domains for which certificates are to be issued
The “-m” parameter is used to specify the e-mail address for certificate expiry notifications
The “certbot run” command retrieves a new certificate and sets it up on the web server. Sometimes further packages are required for this (e.g. python3-certbot-apache for Debian with an Apache web server).

Further information on certbot, e.g. on the automatic renewal of certificates, can be found in the official certbot documentation: https://certbot.eff.org/docs

Windows (example simple-acme)

Installation:

Download Simple-acme from https://simple-acme.com/download and unpack the archive

Issue a certificate (from Powershell with Admin privileges):

wacs.exe --baseuri “https://acme.pki.cert.tu-dresden.de/” --source manual --host example1.cert.tu-dresden.de,example2.cert.tu-dresden.de

With the parameter “--source manual” only the certificate is requested. The program offers various parameters to supply the IIS web server directly, for example

With the parameter “--host” a comma-separated list of DNS names is passed

The command requests a new certificate and saves it by default in the Windows certificate store

Further information and the download for simple-acme can be found on the project website: https://simple-acme.com/

Alternative ACME Client for Linux/FreeBSD: dehydrated

If "certbot" cannot be used, e.g. because your Linux distribution is too old, you could try "dehydrated". Dehydrated is implemented as a single Shell Script and needs only a webserver and some standard cli tools.

Requirements:
- a webserver (that can publish files from the server)
- command line tools: bash, grep, mktemp, diff, sed, awk, curl, cut, head, tail, hexdump, openssl
Download the latest relase .tar.gz from github: https://github.com/dehydrated-io/dehydrated/releases

unpack the tar file:tar xf "dehydrated-X.Y.Z.tar.gz"

copy the dehydrated script to /usr/local/bin: sudo cp dehydrated-X.Y.Z/dehydrated /usr/local/bin/

Note the webroot of your webserver

Debian/Ubuntu default is /var/www/html
```
nginx: grep 'root\s' /etc/nginx/ -R
```

apache: grep DocumentRoot /etc/apache2/ -R

```
or: grep DocumentRoot /etc/httpd/ -R
```

Create directory for ACME challenges (replace /webroot with the webroot of your server):

export WEBROOT=/webroot
sudo mkdir -p $WEBROOT/.well-known/acme-challenge
sudo chmod o+rx $WEBROOT/.well-known/acme-challenge $WEBROOT/.well-known/

Create config directory /etc/dehydrated
Create config file /etc/dehydrated/config (replace WEBROOT with your servers webroot):
CA=https://acme.pki.cert.tu-dresden.de/
CONTACT_EMAIL=admin-email@tu-dresden.de
WELLKNOWN=WEBROOT/.well-known/acme-challenge
DOMAINS_TXT=/etc/dehydrated/domains.txt
CERTDIR="/etc/dehydrated/certs"
Add the hostnames/domain-names of your server to /etc/dehydrated/domains.txt. one name per line
Make sure the ACME server can access your server on port 80 (check anterprise cloud firewall and host firewall)

Get a new certificate by running:sudo dehydrated -c -f /etc/dehydrated/config

The certificates will be stored in /etc/dehydrated/certs/$HOSTNAME
To make the new certs available in your webserver automatically, you could use a deploy script to copy the files to the right locations, adjust permissions and restart the webserver. Please see the official docs for details: https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/hook.sh
Execute dehydrated once a week to renew soon-expiring certificates by adding this line to /etc/crontab:
0 7 * * 1 root dehydrated -c -f /etc/dehydrated/config