SSL/TLS certificates keep your website and services secure—but managing them manually is tedious and risky. That’s where the ACME protocol comes in.
Short for Automated Certificate Management Environment, ACME automates the issuance, renewal, and revocation of certificates, eliminating manual work and reducing the chance of expired certificates taking your site offline.

Originally developed by the Internet Security Research Group (ISRG) for Let’s Encrypt, ACME has grown into an industry standard that works with multiple certificate authorities and is now used by organizations worldwide.
This shift is becoming more important as certificate lifetimes continue to shrink. The maximum validity moved to 200 days from March 2026, drops to 100 days from March 2027, and reaches just 47 days starting March 15, 2029. At that point, manual certificate management is no longer practical at any scale.
Table of Contents
- What is ACME?
- How the ACME Protocol Works
- Certificate Types Supported by ACME
- Benefits of Using ACME
- Setting Up an ACME Client
- ACME vs. Other Enrollment Protocols
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
What is ACME Protocol?
The ACME protocol, or Automated Certificate Management Environment, automates the full lifecycle of SSL/TLS certificates. It eliminates manual steps by using standardized communication between ACME clients and certificate authorities to manage issuance, validation, installation, renewal, and revocation.
The protocol uses a client-server architecture where an ACME client (installed on your server) communicates with an ACME server (operated by a certificate authority) to request, validate, and manage certificates without human intervention. This automation prevents expired certificates, reduces security risks, and frees IT teams from repetitive manual tasks.
The Evolution of ACME Protocol
The Internet Security Research Group created ACME specifically for Let’s Encrypt, the free public certificate authority that launched in 2015. The first version, ACME v1, came out in 2016 and proved the concept worked at scale.
In 2018, ACME v2 arrived with important improvements. It added support for wildcard certificates (which cover all subdomains under a domain) and introduced DNS TXT validation for stronger security. ACME v2 became the official standard when the IETF published RFC 8555, and ACME v1 was phased out in 2021.
Because ACME is open-source, it’s been adopted by public certificate authorities and PKI vendors across the industry. You’re not locked into a single CA—you can choose from multiple providers or switch between them as your needs change. This flexibility is one reason ACME has become the go-to protocol for automated certificate management.
How the ACME Protocol Works
ACME uses a client–server model. An ACME client runs on your server or device and communicates with an ACME server operated by a certificate authority. The entire exchange uses JSON messages sent over HTTPS, so it’s both secure and standardized.
Here’s the basic workflow:
- Select your agent and domain. You install an ACME client (like Certbot or Caddy) on your server and tell it which domain you want to secure.
- Choose a CA. Point your client to an ACME-compatible certificate authority—DigiCert, Sectigo, or any other CA that supports the protocol.
- Generate a key pair and CSR. The client creates a private key and a certificate signing request (CSR) with your domain information.
- Prove domain control. The CA challenges you to prove you control the domain. You can respond with an HTTP-01 challenge (placing a file on your web server) or a DNS-01 challenge (adding a TXT record to your DNS).
- Sign a nonce. The client signs a unique nonce (a one-time random value) with your private key to prove authenticity.
- Receive your certificate. The CA verifies everything and issues your X.509 certificate. The certificate is delivered to the ACME client and installed automatically.
Renewal and revocation follow the same process. The client can request a new certificate before the old one expires, or revoke a compromised certificate, all without manual intervention.
Certificate Types Supported by ACME
ACME primarily issues Domain Validated (DV) certificates, which verify only that you control the domain. These are the fastest to issue and work well for most websites and services.
Organization-Validated (OV) and Extended Validation (EV) certificates require additional proof—like business documentation—to confirm your organization’s identity. ACME can support OV and EV certificates, but you’ll need to layer on manual verification steps because the protocol itself doesn’t handle business validation. Some CAs offer hybrid workflows that combine ACME automation with human review for higher-assurance certificates.
Wildcard certificates deserve special mention. ACME v2 added native support for wildcards, which secure all subdomains under a domain (like *.example.com). To issue a wildcard certificate, you must complete a DNS-01 challenge—adding a TXT record to your DNS zone—because HTTP challenges can’t prove control over all possible subdomains. This DNS validation adds a layer of security and makes wildcard certificates more reliable.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
Benefits of Using ACME
- Automation Eliminates Manual Work. Manual certificate management is slow and error-prone. ACME automates every step—issuance, installation, renewal, and revocation—so you don’t have to generate CSRs, copy-paste ACME certificates, or set calendar reminders. This automation provides reduced human error and frees your team to focus on more important work.
- Improved Security Through Auto-Renewal. Expired certificates cause outages and security warnings. ACME provides enhanced security by automatically renewing certificates before they expire, so you don’t have to worry about forgetting a renewal deadline. This keeps your services online and your users safe.
- Cost Savings and Better Visibility. Many ACME-compatible CAs, like Let’s Encrypt, offer free DV certificates. Even if you use a commercial CA, automation reduces the labor cost of managing ACME certs. Plus, when you integrate ACME with a certificate management platform, you get a centralized view of all your certificates—expiration dates, issuance status, and lifecycle events—so nothing falls through the cracks.
- CA Agility. ACME’s open standard means you’re not locked into one vendor. If your CA has an outage or you want to switch providers, you can point your ACME client to a different CA without rewriting your automation. This CA-agnostic approach gives you flexibility and helps you avoid vendor lock-in.
- Open-Source and Accessible. ACME is an open protocol with no licensing fees. Anyone can implement an ACME client or server, and a thriving ecosystem of tools exists. This openness encourages innovation and makes automated certificate management available to organizations of all sizes.
All these benefits translate into fewer outages, better compliance, and a more secure infrastructure. ACME turns certificate management from a recurring headache into a background task that just works.
Setting Up an ACME Client
Getting started with ACME is straightforward. Here’s a step-by-step guide:
1. Choose a compatible ACME client and specify your domain.
Pick an ACME client that works with your environment. Popular options include:
- Certbot – the most widely used client, maintained by the Electronic Frontier Foundation
- Caddy – a web server with built-in ACME support
- ACMESharp – a PowerShell module for Windows environments
- GetSSL – a simple bash script for Unix-like systems
- Posh-ACME – another PowerShell option with advanced features
Tell the client which domain (or domains) you want to secure.
2. Select a CA compatible with your client.
Point your client to an ACME server. Let’s Encrypt is the most common choice, but Sectigo, Keyfactor, and other commercial CAs also offer ACME endpoints. Make sure you’re using an ACME v2-compatible server—ACME v1 is deprecated.
3. Generate a key authorization pair.
The client creates a private key and uses it to generate a certificate signing request. This key pair generation process is handled automatically by the ACME client. Keep your private key secure—it’s the foundation of your certificate’s trustworthiness.
4. Solve a challenge to prove domain control.
Depending on your setup, you’ll complete an HTTP-01 challenge (hosting a file on your web server) or a DNS-01 challenge (adding a TXT record to your DNS). For wildcard certificates, DNS-01 is required. The client usually handles this automatically if it has API access to your DNS provider.
5. Sign the nonce with your private key.
The CA sends a unique nonce, and the client signs it with your private key. This proves you control the key pair and prevents replay attacks.
6. Begin issuing, renewing, and revoking certificates automatically.
Once the CA verifies your responses, it issues your ACME cert. The client installs it and sets up automatic renewal. From this point on, certificates refresh in the background without manual intervention.
Tip: Stick with ACME v2. It’s the current standard and offers better security and features. ACME v1 is no longer supported by most CAs.
ACME vs. Other Enrollment Protocols
ACME isn’t the only protocol for automating certificate enrollment. Two older protocols—SCEP (Simple Certificate Enrollment Protocol) and EST (Enrollment over Secure Transport)—also exist, but they each have limitations.
SCEP automates initial certificate issuance and is widely used for device enrollment in enterprise environments. But SCEP doesn’t handle revocation or renewal well, so you need additional tools or manual processes to manage the full certificate lifecycle. It’s an older protocol that predates modern automation needs.
EST is a newer standard that automates enrollment and renewal, but it hasn’t achieved the same level of adoption as ACME. Fewer CAs and clients support EST, which limits its usefulness in real-world deployments.
ACME stands out because it manages the full lifecycle—issuance, renewal, and revocation—in one protocol. It’s community-driven, openly documented in RFC 8555, and supported by a wide range of certificate authorities and open-source tools. For most organizations, ACME’s combination of automation, flexibility, and ecosystem support makes it the preferred choice.
Best Practices and Considerations
- Use ACME v2 and stay current with RFC 8555. ACME v1 is deprecated. Make sure your clients and servers support ACME v2, and keep your tools updated to benefit from security improvements and new features.
- Prefer DNS-01 challenges for wildcard certificates. If you need to secure all subdomains under a domain, use a wildcard certificate with DNS-01 validation. HTTP-01 challenges can’t prove control over all possible subdomains, so DNS is the only option. Automate this by giving your ACME client API access to your DNS provider.
- Maintain a backup CA for resilience. CA agility is one of ACME’s strengths. Configure your automation to fail over to a secondary CA if your primary CA has an outage. This ensures continuous certificate issuance even if one provider has issues.
- Integrate ACME with a certificate management platform. For larger deployments, connect your ACME automation to a platform like Keyfactor, AppViewX, or CyberArk. These tools give you visibility across all your certificates, help you enforce policies, and make it easier to audit your infrastructure.
- Secure your private keys. Even with automation, security matters. Store private keys in hardware security modules (HSMs) or use device attestation methods (like Apple’s Secure Enclave) for high-assurance environments. Tools like SecureW2’s Dynamic PKI with Cloud RADIUS can help integrate device identity into your certificate workflows.
- Monitor certificate expiration dates. Automation is reliable, but it’s not foolproof. Set up alerts to notify you if a certificate is approaching expiration without being renewed. This gives you a safety net in case something goes wrong with your automation.
Ready to Automate Your Certificate Lifecycle?
Stop worrying about expired certificates and manual renewals. SSL Dragon offers ACME-compatible SSL certificates from trusted authorities like Sectigo and DigiCert—starting at just $25/year. Get automatic issuance, renewal, and management with unlimited reissues, $500,000+ warranty coverage, and 24/7 technical support.
Whether you need Domain Validated (DV), Organization-Validated (OV), or Extended Validation (EV) certificates, our ACME solutions integrate seamlessly with popular clients like Certbot, acme.sh, and more.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10






