NOTE: Let’s Encrypt is a recommended and widely adopted trusted Certificate Authority (CA) that offers free, automatic renewal of ACME certificates. 

However, there are certain cases where you may have closed systems, such as non-public domain names or IP addresses, that cannot be used with Let’s Encrypt.

Here are the prerequisites for implementing ACME-based automatic certificate renewals for the UW-Madison InCommon Certificate Service (powered by Sectigo's Certificate Manager - SCM)

1. Domain Delegation: The domain names you plan to secure via ACME are delegated to your department and within the SCM.  Separate ACME accounts are distributed to different campus departments, administrative teams, for specific __.wisc.edu or __.wisconsin.edu domains to maintain a principle of least privilege.

2. ACME Client Familiarity: You should have a technical comfort level with ACME clients, as an example Certbot (the client officially supported by Sectigo/InCommon).

3. Credential Security: The EAB credentials (Key ID and HMAC Key) grant full control over issuing certificates for the authorized domains. You will need to store them securely and restrict access to authorized personnel only.

4. Contact Us: We'll get the ball rolling with a short meeting to discuss your delegation structure for your department or college and establish your ACME account in the Certificate Manager, including securely supplying the ACME Endpoint URL, Key ID, and HMAC Key.