Automatically renewed certificates in the Data Exchange Layer

In 2026, the Suomi.fi Data Exchange Layer will begin preparations to introduce the ACME feature (Automated Certificate Management Environment), which enables automatic renewal of certificates on the security server.

This page provides an overview of the ACME feature and its impact on users of the Data Exchange Layer. More detailed instructions for deployment and configuration will be published as the rollout progresses.

What does ACME introduce?

Technical changes

With ACME, the existing authentication (auth) and signing certificates (sign) of security servers can be automatically renewed via the security server’s user interface.

A security server configured to use ACME will automatically renew its certificates through the Digital and Population Data Services Agency (DVV) ACME service before the certificates expire.

• The transition to ACME has been facilitated by extending, in 2025, the validity period of organisation-specific signing certificates (sign) to two years for the time being at their next renewal.

In future ACME instructions, references may be made to client software (ACME client). Users of the Data Exchange Layer do not need to install a separate client, as the required ACME functionality is integrated into the X-Road software.

• Note! If the organisation uses ACME certificates issued by DVV outside the Data Exchange Layer, a separate client may be required.
• More information about the service and related practices is available on the DVV website: ACME | Digital and population data services agencyOpens in a new window.. The content will be updated as the rollout progresses.

Changes to maintenance

Using ACME certificates simplifies the maintenance of security servers:

• Manual certificate renewal is no longer needed.
• The renewal schedule no longer needs to be monitored manually.
• The risk of certificate expiration and service interruptions is reduced.

When using an X-Road version that supports full automation, security server administrators no longer need to renew certificates manually.

Responsibilities of the security server administrator after ACME deployment

After deployment, the administrator is responsible for:

• monitoring automatic certificate renewal
• monitoring ACME account events and logs in DVV’s e-service
• responding to notifications (e.g. email)
• investigating potential issues
• informing the organisation’s administrative contact person of changes

Requirements for deploying ACME

There are several key prerequisites for deploying ACME. This section provides a general overview of what is required. More detailed technical instructions will be published later.

Deploying ACME requires:

• registering an ACME account in DVV’s e-service
  → See detailed instructions: (to be added later)
• enabling ACME functionality on security servers and configuring the security server for ACME use
• required network and port openings
• configuring email notifications for monitoring ACME events (notifications are delivered over HTTP connections)

How to prepare for deploying ACME

Below are examples of matters that organisations should clarify and agree on before deploying ACME.

It is recommended that administrative and technical responsible persons plan the deployment together. Responsibility for the tasks listed below should be assigned. Each organisation decides on the division of responsibilities and the roles involved in certificate management.

Administrative tasks

Ensure that the organisation agrees on:

• who is responsible for certificate management
• the overall certificate process and responsibilities
• the schedule for ACME deployment
• practices for certificate monitoring and maintenance
• administrative responsibilities during operation

Technical tasks

Ensure that:

• an ACME account is created for the organisation and necessary users are added
• security servers are configured for ACME use
• certificates and events are actively monitored

ACME support in different X-Road versions

The following information supports planning the deployment of ACME from a technical perspective.

Deploying ACME requires that the security server is running at least X-Road version 7.5.1. Please take this into account when planning version upgrades.

• The Data Exchange Layer test environment (FI-TEST) is currently running version 7.6.2.
• Central server environments will be updated to a newer X-Road version during 2026.

We will announce separately when ACME deployment becomes available.

Operating system requirements: X-Road 7.5.1

• Ubuntu 22.04 LTS or 24.04 LTS
• Red Hat Enterprise Linux (RHEL) 8 or 9

ACME support in different X-Road versions

• 7.5.0 – certificate enrollment using ACME
• 7.6.0 – automatic certificate renewal + email notifications
• 7.7.0 – automatic certificate activation (full ACME automation)

Email notifications

From X-Road version 7.6.0 onwards, email notifications can be enabled, allowing administrators to receive information, for example, about expiring certificates.

• Recommendation: use a shared process email address

Further information

Technical questions: palveluvayla@palveluvayla.fi
General deployment-related questions: palveluvayla-kayttoonotot@dvv.fi