ACME - Automated SSL Certificate Issuance

The Automatic Certificate Management Environment (ACME) is a protocol that lets a server request, install, and replace its own SSL Certificates without anyone doing the work by hand. It was created to make encrypted connections easier to set up and keep running.

Automation matters more every year, because SSL Certificate validity periods keep getting shorter. As the maximum lifetime falls toward 47 days by 2029, replacing SSL Certificates by hand becomes impractical, and ACME removes that burden entirely. Learn About Automated SSL Certificate Management 🔗

The ACME Request Cycle

ACME works through a short, repeatable exchange between your server and the Certificate Authority (CA). The process is the same every time, which is what makes full automation possible.

First, an ACME client on your server registers an account at the ACME endpoint using a key pair for identification. Trustico® provides a separate endpoint for each product line, so your client connects to the Trustico® endpoint or the Sectigo® endpoint depending on the license you hold.

Next comes validation. The Certificate Authority (CA) issues one or more challenges to confirm that you control the domain, and your ACME client answers them automatically. No manual approval is needed once the client is configured. Learn About The Validation Procedure 🔗

Once a challenge succeeds, the Certificate Authority (CA) issues the SSL Certificate and your ACME client installs it. Before the SSL Certificate expires, the client repeats the exchange and reissues automatically, so protection never lapses.

The Validation Challenges

ACME confirms domain control in one of three standard ways, and your client handles whichever one you configure.

The first places a file on your web server that the Certificate Authority (CA) retrieves over a normal connection. This method needs port 80 to be reachable from the outside.

The second adds a Domain Name System (DNS) TXT record to your domain. It works even when a server sits behind a firewall, and it is the only method that can issue a wildcard SSL Certificate covering every subdomain.

The third proves control through a short exchange on port 443, which is useful when port 80 is closed. Your ACME client selects and completes the method for you at each reissue.

Benefits of Automated Issuance

Automating SSL Certificate management does more than save time. It removes the single most common cause of website outages, which is an SSL Certificate that quietly expired because someone forgot to replace it.

It also brings consistency. Every SSL Certificate is requested, validated, and installed the same way, which reduces human error and keeps security uniform across servers. For teams managing many domains, that consistency is often more valuable than the time saved.

Clients, Servers, and Control Panels

ACME is built into a wide range of tools, so most environments already have a way to use it. The most widely used standalone client is Certbot, and web servers such as Apache and Nginx offer built-in support.

Control panels such as cPanel and Plesk include ACME support as well, which brings automation to shared hosting without any command line work. Compare the available clients before you choose one. Learn About Supported ACME Clients 🔗

Tip : If your website runs on cPanel, the Trustico® Certificate as a Service (CaaS) cPanel Plugin brings automated SSL Certificate management directly into your hosting control panel, without the command line. It retrieves, installs, and reissues your SSL Certificates from within cPanel itself. Explore the Trustico® cPanel Plugin 🔗

Whichever route you take, the aim is the same, hands-off SSL Certificate management that keeps pace with shorter validity periods.

ACME with Trustico® Certificate as a Service (CaaS)

Trustico® delivers ACME automation through Certificate as a Service (CaaS). Instead of managing individual SSL Certificates by hand, you hold a Certificate as a Service (CaaS) license and let your server handle every reissue. Explore Certificate as a Service (CaaS) 🔗

After your purchase, Trustico® supplies External Account Binding (EAB) credentials. These credentials tie your ACME client to your license and the correct endpoint, so only your authorized server can request SSL Certificates against it. Learn About External Account Binding (EAB) Credentials 🔗

Configuration is a one-time step. You set the External Account Binding (EAB) credentials and the endpoint address in your ACME client, and from then on it manages the full SSL Certificate lifecycle on its own.

Keeping ACME Secure

Automation does not remove the need for good security habits on your side. Store your account keys safely, keep your ACME client updated, and restrict who can change its configuration.

It is also worth testing your reissue process from time to time, rather than assuming it works. A quick check that a scheduled reissue completes will catch configuration problems long before an SSL Certificate is due to expire.

Common Use Cases

ACME suits almost any setup where SSL Certificates need to stay current without manual effort. Hosting providers use it to secure large numbers of customer domains, and online stores rely on it to keep payment pages protected at all times.

It is equally at home in automated build pipelines and container platforms, where new services appear and disappear quickly and each one still needs a valid SSL Certificate. In those environments, manual management is simply not an option.

Getting Started

The move to shorter SSL Certificate lifetimes is already under way, so there is little reason to wait. Choosing a Certificate as a Service (CaaS) license and configuring an ACME client now means your SSL Certificates are handled automatically from that point forward. Compare Your Options Against Traditional SSL Certificates 🔗

Sectigo® CaaS DV Single Site vs Wildcard Comparison

Certificate as a Service (CaaS) provides automated SSL Certificate management through APIs. Choose Single Site for individual domain automation, or Wildcard for comprehensive subdomain coverage with full API-driven SSL Certificate lifecycle management.

Feature Sectigo® CaaS DV Single Site Sectigo® CaaS DV + Wildcard
Service Type Certificate as a Service (CaaS) Certificate as a Service (CaaS)
Coverage Single Domain Only Unlimited Subdomains
Domains Covered www.example.com + example.com *.example.com + example.com
Automation Level Fully Automated Fully Automated
API Access Full RESTful API Full RESTful API
Validation Level Domain Validation (DV) Domain Validation (DV)
Validation Methods E-Mail / DNS / HTTP / HTTPS E-Mail / DNS / HTTP / HTTPS
Issuance Time Very Fast! Issued Within Minutes Very Fast! Issued Within Minutes
Auto-Renewal Automated Renewal Available Automated Renewal Available
Certificate Management Centralized Dashboard Centralized Dashboard
Integration Options API, Webhooks, SDK API, Webhooks, SDK
Ideal For SaaS Platforms, Single Domain Apps Multi-Tenant SaaS, Complex Infrastructures
Scalability Per-Domain Scaling Automatic Subdomain Coverage
Warranty $500,000 USD $500,000 USD
Encryption Strength 256-bit SSL Encryption 256-bit SSL Encryption
Browser Compatibility 99.9% Browser Trust 99.9% Browser Trust
Dual Domain Coverage Includes Root Domain SAN Free! Includes Root Domain SAN Free!
Reissues Unlimited Unlimited
Deployment Options Cloud, On-Premise, Hybrid Cloud, On-Premise, Hybrid
Information Page Product Information Page 🔗 Product Information Page 🔗
Your Trustico® Price €61,95 EUR €246,95 EUR
Purchase Options Instant - Buy Now 🔗 Instant - Buy Now 🔗

Most Popular Questions

Frequently asked questions covering how the Automatic Certificate Management Environment (ACME) automates SSL Certificate issuance and reissue, its validation challenges, and how Trustico® delivers it through Certificate as a Service (CaaS)

The Automatic Certificate Management Environment (ACME) Explained

The Automatic Certificate Management Environment (ACME) is a protocol that lets a server request, install, and replace its own SSL Certificates automatically. It removes the manual work of SSL Certificate management and keeps encrypted connections running without gaps. This matters more each year as SSL Certificate validity periods grow shorter.

Steps in the ACME Request Cycle

An ACME client on your server registers an account at the Certificate Authority (CA) endpoint, then answers a challenge that proves you control the domain. Once the challenge succeeds, the Certificate Authority (CA) issues the SSL Certificate and the client installs it. Before the SSL Certificate expires, the client repeats the exchange and reissues automatically.

Validation Challenges Used by ACME

ACME confirms domain control in one of three ways. It can place a file on your web server, add a Domain Name System (DNS) TXT record to your domain, or complete a short exchange on port 443. The Domain Name System (DNS) method is the only one that can issue a wildcard SSL Certificate.

Benefits of Automated SSL Certificate Management

Automation removes the most common cause of outages, which is an SSL Certificate that expired because nobody replaced it in time. It also brings consistency, since every SSL Certificate is requested, validated, and installed the same way. For teams managing many domains, that reliability is often worth more than the time saved.

ACME Support in Clients and Control Panels

ACME is built into many tools, so most setups already have a way to use it. Certbot is the most widely used standalone client, and web servers such as Apache and Nginx include support. Control panels such as cPanel and Plesk also support ACME, and the Trustico® CaaS cPanel Plugin brings it into cPanel without any command line work.

ACME with Trustico® Certificate as a Service (CaaS)

Trustico® delivers ACME automation through Certificate as a Service (CaaS), so your server handles every reissue within your license. After purchase, Trustico® supplies External Account Binding (EAB) credentials that tie your ACME client to your license and the correct endpoint. Configuration is a one-time step, after which the client manages the full SSL Certificate lifecycle on its own.

Security Practices for ACME Automation

Automation does not remove the need for good security habits. Store your account keys safely, keep your ACME client updated, and limit who can change its configuration. It is also worth testing your reissue process from time to time, so any problem is caught well before an SSL Certificate expires.