External Account Binding (EAB) credentials are secure authentication keys that connect your ACME client to your paid Trustico® Certificate as a Service (CaaS).
These credentials ensure that only authorized users can issue SSL Certificates under your service.
EAB is an industry-standard extension to the ACME protocol that allows Certificate Authorities like Trustico® to provide paid services while maintaining the automation benefits of ACME.
Your EAB credentials act as a bridge between your ACME client software and your pre-paid Trustico® service, enabling automatic SSL Certificate issuance and renewal without manual intervention.
Your EAB Credentials Package
When you purchase Trustico® Certificate as a Service (CaaS), you receive a complete credentials package via e-mail containing four essential components :
Trustico® ACME Account ID : Your unique service identifier used for all account management, extensions, and support requests. Keep this ID safe as you'll need it for future service management.
EAB Key ID : Your unique account identifier that tells our ACME server which service account to use for SSL Certificate requests.
EAB MAC Key : Your secure authentication key that proves you're authorized to use the service. This key must be kept confidential.
ACME Server URL : The dedicated server endpoint where your ACME client will connect to request and manage SSL Certificates.
We generally only send this information via e-mail when Trustico® Certificate as a Service (CaaS) is activated or renewed. If you lose the e-mail please speak with our support team for further assistance.
How EAB Credentials Work
EAB credentials work by authenticating your ACME client during the account registration process. When your ACME client first connects to our server, it uses your EAB Key ID and EAB MAC Key to prove it's authorized to access your paid service.
Once authenticated, your ACME client can request SSL Certificates for any domains included in your Trustico® Certificate as a Service (CaaS).
The ACME server validates domain ownership automatically and issues SSL Certificates within minutes.
Your EAB credentials remain active for the duration of your service period, enabling continuous automatic SSL Certificate renewal without any manual intervention required.
Sharing EAB Credentials Across Multiple Systems
One of the key benefits of Trustico® Certificate as a Service (CaaS) is that your EAB credentials can be shared across multiple ACME clients and servers. This means you can use the same credentials to secure multiple systems under one service.
For example, you can configure your production servers, staging environments, load balancers, and development systems all with the same EAB credentials. Each system can independently request and renew SSL Certificates for your authorized domains.
This shared credential model eliminates the need to purchase separate services for each server while maintaining security through proper credential management practices.
Domain Authorization and Unlimited SSL Certificates
Your EAB credentials are linked to specific domains that you've purchased through Trustico® Certificate as a Service (CaaS). Once a domain is authorized in your service, you can issue unlimited SSL Certificates for that domain and its included variations.
This includes your primary domain, www subdomain, and any subdomains covered by wildcard SSL Certificates. Your ACME client can request new SSL Certificates whenever needed without additional costs.
If you need to secure additional domains beyond your current service, simply purchase another Trustico® Certificate as a Service (CaaS) for those domains, which will come with its own set of EAB credentials.
Configuring Your ACME Client
Most popular ACME clients support EAB credentials through command-line parameters or configuration files. The exact setup process varies by client, but the core information remains the same.
For Certbot : Use the --eab-kid and --eab-hmac-key parameters along with --server to specify your ACME Server URL during account registration.
For acme.sh : Set the ACME_EAB_KID and ACME_EAB_HMAC_KEY environment variables, then specify your server URL with the --server parameter.
Consult your client's documentation for EAB configuration options. All standard ACME clients support EAB credentials through similar mechanisms.
Security Best Practices for EAB Credentials
Your EAB credentials provide access to your paid Trustico® Certificate as a Service (CaaS) and must be protected with the same security standards as API keys or passwords.
Store your EAB MAC Key in environment variables or secure credential management systems. Never commit these credentials to code repositories, configuration files, or any unencrypted storage.
Your EAB Key ID is less sensitive but should still be treated as confidential information. Both credentials together provide access to your service, so protect them accordingly.
Regularly audit which systems have access to your EAB credentials and remove access from decommissioned servers or development environments that no longer need SSL Certificate access.
Troubleshooting EAB Authentication
If your ACME client fails to authenticate with EAB credentials, verify that you're using the correct ACME Server URL provided in your credentials e-mail. Using a different server URL will result in authentication failures.
Ensure your EAB Key ID and EAB MAC Key are copied exactly as provided, without additional spaces or line breaks. These credentials are case-sensitive and must match precisely.
Check that your Trustico® Certificate as a Service (CaaS) is active and hasn't expired. Expired services will reject EAB authentication attempts until renewed.
If you continue experiencing issues, contact our support team with your Trustico® ACME Account ID for assistance with credential verification and troubleshooting.
Managing Your Service with EAB Credentials
Your Trustico® ACME Account ID is essential for all service management tasks beyond SSL Certificate issuance. Use this ID when extending your service, requesting support, or managing your account through our website or API.
Service extensions can be purchased before expiration to ensure continuous SSL Certificate functionality. Your EAB credentials will continue working seamlessly after service renewal without requiring reconfiguration.
Keep your Trustico® ACME Account ID easily accessible for service management tasks, but remember that your EAB MAC Key should remain confidential and only be used for ACME client configuration.
EAB Credentials Lifecycle
Your EAB credentials remain valid for the entire duration of your active Trustico® Certificate as a Service (CaaS). They automatically become inactive when your service expires, preventing unauthorized SSL Certificate issuance.
When you extend your service, your existing EAB credentials continue working without any changes required to your ACME client configuration. This ensures seamless SSL Certificate operations across service renewals.
If you need new EAB credentials for security reasons, contact our support team with your Trustico® ACME Account ID to discuss credential rotation options.
Getting Help with EAB Setup
Our support team is available to help you with general information to configure your ACME client with your EAB credentials.
When contacting support, always include your order number and Trustico® ACME Account ID for faster assistance.
Never share your EAB MAC Key in support communications - our team can verify your credentials without needing to see the actual key values.
Service Continuity and Renewal
Automated SSL Certificate installation and management through Trustico® Certificate as a Service (CaaS) operates seamlessly only while your paid service remains active.
Your ACME client will continue to automatically renew SSL Certificates and maintain continuous protection as long as your service subscription is current.
To ensure truly seamless SSL Certificate management without interruption, it's essential to renew your Trustico® Certificate as a Service (CaaS) before expiration or consider setting up automatic billing for uninterrupted service continuity.
If your service expires, your ACME client will be unable to renew SSL Certificates, potentially leading to SSL Certificate expiration and website downtime until service is restored.
