Skip to content

Commit 7295405

Browse files
tashiantashian
authored
Merge pull request #453 from smallstep/carl/tiny-acme
Add `acme-tiny` to ACME tutorial
2 parents e4dd0be + c17cc68 commit 7295405

File tree

1 file changed

+36
-1
lines changed

1 file changed

+36
-1
lines changed

tutorials/acme-protocol-acme-clients.mdx

Lines changed: 36 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
updated_at: September 18, 2025
2+
updated_at: November 06, 2025
33
title: Configure popular ACME clients to use a private CA with the ACME protocol
44
html_title: Configure ACME Clients with step-ca Tutorial
55
description: Configure popular ACME clients with step-ca. Support for Certbot, acme.sh, and other ACME implementations for automated certificate management.
@@ -97,6 +97,7 @@ Choose a renewal period that is two-thirds of the entire certificate's lifetime,
9797
* [Certbot](#certbot)
9898
* [acme.sh](#acmesh)
9999
* [lego](#lego)
100+
* [acme-tiny](#acme-tiny)
100101
* [win-acme](#win-acme)
101102
* [Caddy v2](#caddy-v2)
102103
* [NGINX](#nginx)
@@ -233,6 +234,40 @@ You can automate renewal with a simple `cron` entry:
233234
*/15 * * * * root LEGO_CA_CERTIFICATES="$(step path)/certs/root_ca.crt" lego [email protected] -d foo.internal --http renew
234235
```
235236

237+
### acme-tiny
238+
239+
[acme-tiny][] is a minimalist ACME client that provides just what you need for automated certificate issuance—nothing more.
240+
It's written in Python and is designed to be simple, auditable, and easy to understand.
241+
242+
[acme-tiny]: https://github.com/diafygi/acme-tiny
243+
244+
To get a certificate from `step-ca` using `acme-tiny` you need to:
245+
246+
1. Point `acme-tiny` at your ACME directory URL using the `--directory-url` flag
247+
2. Tell `acme-tiny` to trust your root certificate using the `REQUESTS_CA_BUNDLE` environment variable
248+
249+
For example:
250+
251+
```shell
252+
REQUESTS_CA_BUNDLE=$(step path)/certs/root_ca.crt \
253+
python acme_tiny.py \
254+
--account-key account.key \
255+
--csr domain.csr \
256+
--acme-dir /var/www/challenges/ \
257+
--directory-url https://ca.internal/acme/acme/directory \
258+
> signed_chain.crt
259+
```
260+
261+
`acme-tiny` uses the `http-01` challenge type, where it writes challenge files to a directory that your web server serves. You'll need to configure your web server to serve files from the directory specified by `--acme-dir`.
262+
263+
You can automate renewal with a simple `cron` entry:
264+
265+
```shell
266+
0 0 * * * REQUESTS_CA_BUNDLE=$(step path)/certs/root_ca.crt python /path/to/acme_tiny.py --account-key /path/to/account.key --csr /path/to/domain.csr --acme-dir /var/www/challenges/ --directory-url https://ca.internal/acme/acme/directory > /path/to/signed_chain.crt 2>> /var/log/acme_tiny.log
267+
```
268+
269+
Like with `certbot`, you'll want to adjust the renewal frequency based on your certificate lifetime. For `step-ca`'s default 24-hour certificate lifetimes, you may want to run renewals more frequently.
270+
236271
### win-acme
237272

238273
[win-acme][] (`wacs.exe`) is a popular ACME client for Windows.

0 commit comments

Comments
 (0)