CertAutoPilot logo CertAutoPilot
Get started

EAB-bound CAs

External Account Binding ties an ACME account to an existing customer record at the CA. This page tells you where the kid + HMAC come from for each EAB-required provider.

01What EAB is

An ACME account is normally created anonymously: anyone can register. EAB requires the registration to include an HMAC over the new-account request, signed with a per-customer key the CA gave you out-of-band. This proves you are an authorised customer before the CA accepts the registration.

You only do this once per account. After registration, normal ACME issuance proceeds without any further EAB interaction.

02What CertAutoPilot needs

Two values:

  • kid — the key identifier issued by the CA. A short opaque string.
  • HMAC key — base64url-encoded, used to sign the EAB binding.

03Google Trust Services

In the Google Cloud Console: Public Certificate AuthorityExternal Account. Click Generate, copy the Key ID (this is the kid) and the HMAC. The pair is single-use — re-generate if you need to register another account.

04ZeroSSL

ZeroSSL dashboard → Developer → EAB Credentials. Generate Credential. Both the kid (called EAB KID) and the HMAC key appear once; copy and save before closing.

05SSL.com

The customer dashboard → API CredentialsACME EAB. Per ACME directory (separate KIDs for DV vs OV vs EV product lines).

06Sectigo

Issued by your Sectigo account manager via the Customer Portal. Ask for an ACME account binding for the certificate profile you intend to use; expect a same-day turnaround.

07GlobalSign Atlas

Atlas portal → API & Configuration → ACME Account. Generate an EAB pair scoped to your Atlas account.

08DigiCert CertCentral

CertCentral → Account → ACME Directory URLs. Each product profile has its own ACME URL and EAB credential; copy both.

09Actalis

Issued via the Actalis customer-portal API. Talk to your account contact; the credentials are scoped to a contract.

10Pasting into CertAutoPilot

  1. Settings → ACME Accounts → New.
  2. Pick the CA. The form shows the EAB section automatically.
  3. Paste the kid and HMAC key.
  4. Save. The server runs the EAB-bound new-account flow and stores the resulting account URL.

11Rotating the EAB key

Once the ACME account is registered, the EAB key is no longer used. To rotate account keys, use the standard ACME key rollover (UI or POST /acme-accounts/{id}/rotate-key). Re-issuing the EAB pair only matters if you are creating a new account.