The Automatic Certificate Management Environment (ACME) is a protocol that lets a server request, install, and replace its own SSL Certificates without anyone doing the work by hand. It was created to make encrypted connections easier to set up and keep running.
Automation matters more every year, because SSL Certificate validity periods keep getting shorter. As the maximum lifetime falls toward 47 days by 2029, replacing SSL Certificates by hand becomes impractical, and ACME removes that burden entirely. Learn About Automated SSL Certificate Management 🔗
The ACME Request Cycle
ACME works through a short, repeatable exchange between your server and the Certificate Authority (CA). The process is the same every time, which is what makes full automation possible.
First, an ACME client on your server registers an account at the ACME endpoint using a key pair for identification. Trustico® provides a separate endpoint for each product line, so your client connects to the Trustico® endpoint or the Sectigo® endpoint depending on the license you hold.
Next comes validation. The Certificate Authority (CA) issues one or more challenges to confirm that you control the domain, and your ACME client answers them automatically. No manual approval is needed once the client is configured. Learn About The Validation Procedure 🔗
Once a challenge succeeds, the Certificate Authority (CA) issues the SSL Certificate and your ACME client installs it. Before the SSL Certificate expires, the client repeats the exchange and reissues automatically, so protection never lapses.
The Validation Challenges
ACME confirms domain control in one of three standard ways, and your client handles whichever one you configure.
The first places a file on your web server that the Certificate Authority (CA) retrieves over a normal connection. This method needs port 80 to be reachable from the outside.
The second adds a Domain Name System (DNS) TXT record to your domain. It works even when a server sits behind a firewall, and it is the only method that can issue a wildcard SSL Certificate covering every subdomain.
The third proves control through a short exchange on port 443, which is useful when port 80 is closed. Your ACME client selects and completes the method for you at each reissue.
Benefits of Automated Issuance
Automating SSL Certificate management does more than save time. It removes the single most common cause of website outages, which is an SSL Certificate that quietly expired because someone forgot to replace it.
It also brings consistency. Every SSL Certificate is requested, validated, and installed the same way, which reduces human error and keeps security uniform across servers. For teams managing many domains, that consistency is often more valuable than the time saved.
Clients, Servers, and Control Panels
ACME is built into a wide range of tools, so most environments already have a way to use it. The most widely used standalone client is Certbot, and web servers such as Apache and Nginx offer built-in support.
Control panels such as cPanel and Plesk include ACME support as well, which brings automation to shared hosting without any command line work. Compare the available clients before you choose one. Learn About Supported ACME Clients 🔗
Tip : If your website runs on cPanel, the Trustico® Certificate as a Service (CaaS) cPanel Plugin brings automated SSL Certificate management directly into your hosting control panel, without the command line. It retrieves, installs, and reissues your SSL Certificates from within cPanel itself. Explore the Trustico® cPanel Plugin 🔗
Whichever route you take, the aim is the same, hands-off SSL Certificate management that keeps pace with shorter validity periods.
ACME with Trustico® Certificate as a Service (CaaS)
Trustico® delivers ACME automation through Certificate as a Service (CaaS). Instead of managing individual SSL Certificates by hand, you hold a Certificate as a Service (CaaS) license and let your server handle every reissue. Explore Certificate as a Service (CaaS) 🔗
After your purchase, Trustico® supplies External Account Binding (EAB) credentials. These credentials tie your ACME client to your license and the correct endpoint, so only your authorized server can request SSL Certificates against it. Learn About External Account Binding (EAB) Credentials 🔗
Configuration is a one-time step. You set the External Account Binding (EAB) credentials and the endpoint address in your ACME client, and from then on it manages the full SSL Certificate lifecycle on its own.
Keeping ACME Secure
Automation does not remove the need for good security habits on your side. Store your account keys safely, keep your ACME client updated, and restrict who can change its configuration.
It is also worth testing your reissue process from time to time, rather than assuming it works. A quick check that a scheduled reissue completes will catch configuration problems long before an SSL Certificate is due to expire.
Common Use Cases
ACME suits almost any setup where SSL Certificates need to stay current without manual effort. Hosting providers use it to secure large numbers of customer domains, and online stores rely on it to keep payment pages protected at all times.
It is equally at home in automated build pipelines and container platforms, where new services appear and disappear quickly and each one still needs a valid SSL Certificate. In those environments, manual management is simply not an option.
Getting Started
The move to shorter SSL Certificate lifetimes is already under way, so there is little reason to wait. Choosing a Certificate as a Service (CaaS) license and configuring an ACME client now means your SSL Certificates are handled automatically from that point forward. Compare Your Options Against Traditional SSL Certificates 🔗