Automating Certificate Management with ACME: What You Need to Know

Have you heard of ACME and wondered what it is? We’ve got you covered. Our easy-to-follow guide, we'll explain what ACME is, how it works, and how to get started using it to automate certificate management.

What Is ACME?

Managing digital certificates manually is a recipe for outages, non-compliance, and human error. The ACME protocol (Automated Certificate Management Environment) offers a standardised, secure, and largely automated way to handle the full certificate lifecycle: issuance, renewal, and revocation. 

• Definition: ACME is a protocol standardised in RFC 8555 by the IETF that lets servers request, renew, and revoke TLS/SSL certificates automatically from a Certificate Authority (CA) - a trusted organisation that issues and manages digital certificates to verify the identity of websites, systems, or users and enable secure, encrypted communications.
• Origins: It was originally developed by the Internet Security Research Group (ISRG) to streamline the issuance of domain-validated certificates. Today, it is widely used across both public and private CAs.
• Public vs Private Use: While many people know ACME through public CAs, it is increasingly supported by private PKI vendors and enterprise platforms.

Why Use ACME?

The ACME protocol was designed to simplify the process of managing certificates, bringing automation and standardisation. Some of the main reasons organisations should adopt ACME include:

• Automation: Removes many manual steps in certificate issuance, renewal, and revocation. Reduces risk of expired certificates.
• Reduced Errors & Outages: When certificates expire unexpectedly, websites or services can go down. Automated renewals via ACME help prevent that.
• Scalability: As an organisation grows (more domains, microservices, internal systems), manual certificate management becomes unwieldy. ACME scales well.
• Standardisation: Common API & JSON/HTTPS-based protocol ensures interoperability among clients, CAs, and enterprise systems.

How ACME Works: The Lifecycle

Behind the scenes, ACME follows a straightforward workflow that ensures certificates are issued only to authorised parties (CAs) and remain valid throughout their lifecycle. From initial setup to renewal and revocation, each step is designed to automate processes. Here’s how the ACME protocol works in practice:

1. Client and Account Setup

• An ACME client is installed on a server or device that needs a certificate. Common examples include Certbot.
• The client creates an account key pair with the CA. The public part is registered; all future authorisation messages are signed with the private key.

2. Domain Ownership / Challenge Validation

To prove control of a domain (or other identifier), the ACME client must complete a challenge issued by the CA. Common types:

• HTTP-01: client hosts a challenge file at a specific path under /.well-known/acme-challenge/. CA fetches it via HTTP.
• DNS-01: client adds a TXT record in the Domain Name System (DNS) with a token. CA queries DNS to verify. Useful especially for wildcard certificates.
• TLS-ALPN-01: uses a TLS handshake, with ALPN, to present a special certificate for validation. More advanced.

3. Certificate Signing Request (CSR)

• Once challenge(s) are satisfied, the client generates a CSR containing the public key and information about the domain(s). The client signs this as part of the request.

4. Issuance and Installation

• The CA verifies the CSR, confirms the validations, issues the certificate, and delivers it to the client. The client then installs it (e.g. on a web server, load balancer, etc.).

5. Renewal

• Certificates are generally valid for a limited period and these validity periods set to shrink significantly over the next few years. The client must re-run the challenges (or rely on existing authorisations, depending on CA policy) and request renewal before expiry. Automated renewal is a key benefit.

6. Revocation

• If a certificate is compromised or no longer needed, it can be revoked via ACME. The CA will publish revocation information via mechanisms like Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP).

By pairing ACME automation with a trusted Certificate Authority, organisations can scale secure communications confidently across every system and service.

Common Pitfalls and Challenges

• DNS automation: For DNS-01 challenges, automating updates to DNS records can require APIs support, propagation delays, and coordination across teams.
• Network/firewall issues: HTTP-01 or TLS-ALPN-01 challenges may fail if network routing, firewalls, or load balancers are misconfigured.
• Trust and compliance: Internal or private PKIs need internal trust (devices, browsers) and may require stricter auditability. Public CAs have policies to satisfy.
• Certificate expiry risks: If renewal automation fails, expired certificates can cause service disruption or security warnings. Monitoring is essential.
• Wildcard certificates usage constraints: Some CAs require extra validation or restrict their use.