The IONOS Certificate Manager now introduces a new feature in its V2 API: Auto Certificate. This enhancement allows users to automatically renew their SSL/TLS certificates via the platform, reducing manual management and improving security. The core of this new functionality lies in its integration with the ACME protocol to automate the issuance and renewal of certificates, eliminating the need for customers to manually upload certificates and keys.
Provider Creation: The user first creates a certificate provider by configuring an ACME server (such as Let's Encrypt). This provider is responsible for issuing and renewing the certificates.
Auto Certificate Creation: After the provider is set up, the user creates an Auto Certificate, pointing to the newly created provider and specifying the common name (domain) for which the certificate should be issued.
Automatic Certificate Management:
ACME-based issuance: The certificate manager handles the issuance and renewal process using the provided ACME server. The system sets up the required DNS TXT records on the IONOS Cloud DNS, which the ACME server uses to verify domain ownership.
Renewal process: The certificates are automatically renewed every 30 days before they expire, ensuring seamless security updates without user intervention.
Domain and Zone Restrictions: This feature only works with domains that are hosted within the IONOS Cloud DNS zones. The ACME server needs to verify the domain ownership through TXT records, which are managed by the IONOS platform.
Handling Expiration and Grace Period: During the renewal process, a grace period of 30 days is applied. This means that two certificates—one expired (or expiring soon) and one newly issued—may coexist for a short period. The old certificate is automatically deleted 30 days after expiration, ensuring that the system remains clean and up-to-date.
Naming Convention: To prevent confusion between active and expiring certificates, timestamps are appended to the common name of the certificate in the database. This ensures that the certificates remain distinguishable in the system.
Automated Renewal: No need for manual intervention to renew certificates, improving operational efficiency.
Security: Regularly updated certificates ensure that there are no gaps in encryption.
Visibility: Users can track both the newly created and expired certificates within the system.
Integration: The auto certificate feature is fully integrated and usable in products like CDN and API Gateway.
This new Auto Certificate feature represents a major step forward for users who need continuous, automated SSL/TLS certificate management on the IONOS platform.
To work with Auto Certificate on the IONOS platform using the API, you need to create a Provider first (e.g., Let's Encrypt), and then create an Auto Certificate linked to that provider. Below are step-by-step instructions for creating a provider and an Auto Certificate using the provided API endpoints.
Prerequisites:
This feature only works with domains that are hosted within the IONOS Cloud DNS zones. The ACME server needs to verify the domain ownership through TXT records, which are managed by the IONOS platform.
There is currently a limit of 50 Auto Certificates.
The provider is responsible for issuing and renewing your certificates via the ACME protocol (e.g., Let's Encrypt). Here's how you can create one using the API.
POST /providers
You need to send a JSON object representing the provider details in the request body.
name: The name of the provider (e.g., "Let's Encrypt").
email: The email associated with the provider account.
server: The ACME server URL (in this case, Let's Encrypt).
externalAccountBinding (Optional): Used if you need external account binding for ACME providers like Let's Encrypt. It includes:
keyId: The external account key ID.
keySecret: The external account key secret.
You will receive a response containing the Provider ID, which is needed to create an Auto Certificate.
Take note of the Provider ID (b471cd03-ef51-52c5-91a5-49195b0a04d4) because it will be needed in the next step.
Once the provider is created, you can create an auto-renewing certificate using that provider.
POST /auto-certificates
To create an Auto Certificate, you need to pass the Provider ID (obtained from Step 1) along with other certificate details in the request body.
provider: The ID of the provider created in Step 1.
commonName: The main domain name for the certificate, for example www.example.com. This field supports wildcards, for example *.example.com.
keyAlgorithm: The key algorithm to be used (e.g., rsa4096).
name: A human-readable name for the Auto Certificate.
subjectAlternativeNames: (Optional) Additional domain names that the certificate should cover, for example app.example.com. This field supports wildcards, for example *.example.com. There is a limit of 10 alternative names.
Result: Upon successful creation, the API will return a response with the details of the newly created Auto Certificate.
After creating the Auto Certificate, you can verify it was created correctly using the following API endpoints.
GET /certificates/{certificateId}
This allows you to check the details of a specific certificate by its ID.
You can also filter the certificates by Auto Certificate UUID or common name to list relevant certificates.
Filter by Auto Certificate UUID:
Filter by domain name: