ACME

ACME

Certificates that renew themselves. The IETF standard for TLS automation.

SSL.com supports the ACME protocol (RFC 8555) — the industry-standard mechanism for fully automated TLS certificate issuance, renewal, and revocation. With certificate lifetimes now capped at 200 days and shortening further, ACME automation is moving from a convenience to a necessity.

Get started with ACME View ACME documentation

The standard for automated certificate issuance and renewal

ACME (Automated Certificate Management Environment) is an IETF standard (RFC 8555) that allows ACME-compatible clients to automatically request, validate, issue, renew, and revoke TLS certificates from an ACME-capable CA — with no human interaction required after initial setup.

ACME is the protocol that powers automated certificate lifecycle management at scale. It defines the handshake between an ACME client and the CA — domain validation, certificate signing, renewal — so the entire flow can run unattended.

SSL.com is a fully ACME-compatible CA. Any ACME client — Certbot, ACME.sh, win-acme, Caddy, Traefik, and hundreds of others — can use SSL.com as its CA endpoint to issue and renew certificates automatically. Today, ACME issuance covers DV (Domain Validation) certificates; OV and EV issuance via ACME are coming soon — see the directory URL and roadmap below.

Why ACME is increasingly essential

⚠ Certificate lifetime context: Effective March 11, 2026, maximum TLS certificate lifetimes are 200 days. Apple has proposed reductions toward 47 days, with CA/B Forum approval already obtained.

At 200-day max lifetimes
  • A team with 100 certificates faces ~183 renewal events per year
  • Manual renewal at this frequency creates outage risk
  • Operations teams without automation are already under significant pressure
At 47-day max lifetimes (proposed)
  • The same 100-certificate team faces ~777 renewal events per year
  • Manual management becomes operationally impossible
  • ACME automation becomes the only viable approach at scale

SSL.com supports ACME today. Configure once — renew automatically for the life of your infrastructure.

Key capabilities

Automated issuance

ACME clients request certificates from SSL.com automatically — no portal interaction required. Certificates are issued within seconds of the ACME handshake.

Automated renewal

Certificates renew before expiry without human intervention — configured once, runs indefinitely. Works at 200-day and future 47-day certificate lifetimes.

Automated revocation

Certificates can be revoked automatically when no longer needed, via the same ACME client that issued them.

HTTP-01 challenge

Domain control validated via a file placed at a well-known URL. Works for most single-domain and SAN scenarios. Not available for wildcards.

DNS-01 challenge

Domain control validated via a DNS TXT record. Required for wildcard certificates; enables validation without HTTP server access. Works behind firewalls.

No rate limits

SSL.com imposes no issuance rate limits on ACME — scale to your needs without throttling, whether you manage dozens or hundreds of thousands of certificates.

Multi-domain support

ACME orders can include multiple Subject Alternative Names (SANs) — issue and renew multi-domain certificates automatically.

Validation levels

DV available today via ACME. OV and EV issuance via ACME — coming soon. Contact SSL.com for early access.

Supported ACME clients

Certbot

The most widely used ACME client. Native on Linux and macOS, extensive plugin ecosystem for DNS-01 providers, and ships pre-configured on many Linux distributions.

ACME.sh

Lightweight shell script ACME client — DNS-01 plugins for 150+ DNS providers including Route 53, Cloudflare, Google Cloud DNS, Azure DNS, and every major registrar API.

win-acme

Windows-native ACME client with full IIS integration, scheduled task automation, and GUI configuration for Windows-centric hosting environments.

Caddy & Traefik

Modern reverse proxies with built-in ACME support. Configure SSL.com as your CA endpoint and TLS is handled automatically for every route and service.

cert-manager (K8s)

The canonical Kubernetes certificate manager. Creates Certificate resources declaratively, handles ACME flows for every Ingress, and rotates certificates without pod restarts.

SSL.com ACME directory URL (DV — available today):

https://acme.ssl.com/sslcom-dv/directory

🚧 Coming soon — OV and EV via ACME: Dedicated directory endpoints for OV and EV issuance are in development. Your existing ACME client will work against the new endpoints with no protocol-level changes. Contact SSL.com for early access and timing.

How to get started

1

Create an SSL.com account

Register at ssl.com — free, no payment required until certificate issuance.

2

Generate ACME credentials

Create ACME account credentials in your SSL.com dashboard.

3

Configure your ACME client

Set SSL.com as the CA in your ACME client (Certbot, ACME.sh, win-acme, Caddy, etc.).

4

Issue your first certificate

Run your ACME client — it will request, validate, and receive a certificate automatically.

5

Schedule renewals

Configure your ACME client to run automatically (via cron or systemd) — renewal happens without further intervention.

Challenge types

HTTP-01
File-based validation

ACME client places a token file at http://yourdomain.com/.well-known/acme-challenge/TOKEN.

Use when: Your server is publicly accessible on port 80. Works for single-domain and SAN certs. Not available for wildcards.

DNS-01
DNS record validation

ACME client creates a _acme-challenge.yourdomain.com DNS TXT record.

Use when: Your DNS provider supports programmatic TXT record creation. Required for wildcard certs. Works without HTTP server access.

Frequently asked questions

ACME is a protocol — there is no charge for using it. You pay for SSL.com certificates as normal; ACME is simply the mechanism by which they are requested and renewed automatically.
Yes, using the DNS-01 challenge. Your DNS provider must support programmatic TXT record creation. Most major DNS providers have ACME client plugins for DNS-01.
SSL.com supports DV (Domain Validation) certificates via ACME today. OV (Organization Validation) and EV (Extended Validation) issuance via ACME is coming soon. In the interim, OV and EV certificates can be issued through the SSL.com portal and API. Contact SSL.com for roadmap timing or early-access opportunities.
Most ACME clients include retry logic and alerting. SSL.com also sends expiry notifications via your account. For production environments, configure alerts so your team is notified if automated renewal fails.
ACME issues new certificates — it does not automatically migrate existing manually-issued certificates. You can transition to ACME-managed certificates by setting up your ACME client and allowing it to issue replacements.
No — ACME is the protocol; CLM (Certificate Lifecycle Management) is the broader practice of managing certificates from discovery through revocation. ACME is the automation engine that powers the issuance and renewal portions of CLM. See the CLM page for the full lifecycle management picture.

Related products & capabilities

CLM

The broader certificate lifecycle management practice — uses ACME for the issuance and renewal automation. Includes Venafi and Keyfactor integrations.
Learn more

SSL Manager

GUI-based Windows desktop app for ordering and managing SSL.com certificates. Complement to ACME for teams that want both automated and manual workflows.
Learn more

Single Domain TLS/SSL

Most commonly automated via ACME HTTP-01 challenge — the simplest deployment path for a single hostname.
Learn more

Wildcard TLS/SSL

Automated via ACME DNS-01 challenge — DNS-01 is required since HTTP-01 cannot validate wildcard coverage.
Learn more

Multi-Domain TLS/SSL

Multi-SAN ACME orders supported — issue and renew certificates covering dozens of different domains in one automated workflow.
Learn more

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance