SSLmentor

Quality TLS/SSL certificates for websites and internet projects.

Client Login
ACME

ACME

ACME

The ACME protocol (Automatic Certificate Management Environment) is an open internet standard that enables fully automated issuance, renewal, and revocation of SSL certificates. Thanks to ACME, web servers can request certificates themselves and automatically renew them without manual administrator intervention. ACME client implementations automate and significantly simplify certificate management at a time when new standards are progressively shortening the validity of SSL/TLS certificates to a maximum of 47 days by 2029.

What is the ACME protocol?

ACME is a protocol defined in RFC 8555 (published in 2019), which standardizes communication between a client (web server or certificate management tool) and a certification authority (CA). It was originally designed and popularized by the certification authority Let's Encrypt, which issues free DV certificates via ACME.

The protocol operates on a challenge – response principle: the client proves to the certification authority (CA) that it actually controls the domain for which it is requesting a certificate. Upon successful verification, the CA automatically issues the certificate. The entire process takes a very short time.

The abbreviation ACME stands for Automatic Certificate Management Environment.

How does ACME work?

Communication between the ACME client and the certification authority (CA) takes place exclusively via HTTPS REST API. The client and CA exchange messages in JSON format. The entire process can be summarized in the following steps.

  • Account registration – The ACME client generates and registers a new account on the CA side using a pair of cryptographic keys (private + public key). The account is used to sign all subsequent requests.
  • Certificate request (Order) – The client sends the CA a list of domains for which it requests a certificate. The CA returns a list of challenges that the client must complete for each domain.
  • Completing the challenge (Challenge) – The client chooses one of the offered challenge types (HTTP-01, DNS-01, TLS-ALPN-01) and performs the required action – places a token on the server or sets a DNS record.
  • Verification by the CA – The CA automatically verifies whether the challenge has been completed (visits the URL, verifies the DNS record, etc.). Successful verification confirms domain authorization.
  • Certificate issuance – The client sends a certificate request (CSR). The CA signs the certificate and sends it back to the client in PEM format.
  • Automatic renewal – The ACME client sets up regular renewal in its configuration. The certificate is typically renewed sufficiently in advance of expiration to prevent HTTPS downtime.

Types of ACME challenges

In order for the certification authority (CA) to verify that the applicant actually controls the domain, the ACME protocol offers three standardized challenge types:

HTTP-01

The ACME client places a special file (token) on the web server in the /.well-known/acme-challenge/ directory. The CA then verifies its availability via HTTP on port 80. This is the most commonly used verification method.

Limitations: Does not work for WildCard certificates. The domain must be publicly accessible on port 80.

DNS-01

The client creates a special TXT record in the domain's DNS in the form _acme-challenge.domenaxyz.cz with a unique token from the CA. The CA verifies the record via DNS. This verification method allows obtaining a WildCard certificate.

Limitations: Requires access to the domain's DNS records. Can be slower due to DNS change propagation.

TLS-ALPN-01

Verification takes place via TLS on port 443 using the ALPN (Application-Layer Protocol Negotiation) extension. The client temporarily makes a special certificate with the ACME token available.

Limitations: Can be complicated for some hosting environments.

ACME clients – overview of tools

There are a wide range of ready-made tools for working with the ACME protocol.

Certbot

The most popular ACME client from EFF.org. Automatic integration with Apache and Nginx. Support for Linux and macOS. Certbot is a widely used and well-documented tool that offers simple commands for obtaining and renewing certificates. It also has extensive support for various web servers and hosting environments.

acme.sh

A minimalist ACME client written in shell with support for over 150 DNS providers. Linux, macOS, FreeBSD. acme.sh focuses on simplicity and broad compatibility.

win-acme

An ACME client for Windows with IIS integration. Supports both GUI and command line. win-acme is ideal for managing certificates on Windows servers, especially with IIS.

Lego

An ACME client written in Go. Suitable for custom integration and scripting. Lego is a flexible ACME client that can be easily integrated into custom systems and scripts thanks to its implementation in the Go language.

Where to go next?

Back to Help
Found an error or don't understand something? Write us!

CA Sectigo
CA RapidSSL
CA Thawte
CA GeoTrust
CA DigiCert
CA Certum