ACME / CLM

Certificates that renew themselves. Automation that never misses an expiry.

SSL.com supports the ACME protocol (RFC 8555) — the industry-standard mechanism for fully automated TLS certificate issuance, renewal, and revocation. With certificate lifetimes now capped at 200 days and shortening further, ACME automation is moving from a convenience to a necessity.

Get started with ACME View ACME documentation

The standard for automated certificate lifecycle management

ACME (Automated Certificate Management Environment) is an IETF standard (RFC 8555) that allows ACME-compatible clients to automatically request, validate, issue, renew, and revoke TLS certificates from an ACME-capable CA — with no human interaction required after initial setup.

Certificate Lifecycle Management (CLM) is the broader practice of managing certificates from issuance through renewal and revocation. ACME is the protocol that enables it at scale.

SSL.com is a fully ACME-compatible CA. Any ACME client — Certbot, ACME.sh, win-acme, Caddy, Traefik, and hundreds of others — can use SSL.com as its CA endpoint.

Why ACME is increasingly essential

Certificate lifetime context: Effective March 11, 2026, maximum TLS certificate lifetimes are 200 days. Apple has proposed reductions toward 47 days, with CA/B Forum approval already obtained.

At 200-day max lifetimes
  • 100 certificates = ~183 renewal events/year
  • Manual renewal creates outage risk
  • Ops teams already under pressure
At 47-day max lifetimes (proposed)
  • 100 certificates = ~777 renewal events/year
  • Manual management becomes impossible
  • ACME is the only viable approach at scale

SSL.com supports ACME today. Configure once — renew automatically for the life of your infrastructure.

Key capabilities

Automated issuance & renewal

ACME clients request and renew certificates automatically — no portal interaction, no human intervention.

HTTP-01 & DNS-01 challenges

Domain validation via file (HTTP-01) or DNS TXT record (DNS-01). DNS-01 required for wildcards.

No rate limits

SSL.com imposes no issuance rate limits on ACME — scale to your needs without throttling.

Multi-domain & wildcard support

ACME orders can include multiple SANs and wildcard domains — issue and renew automatically.

Supported ACME clients

Certbot

Most widely used ACME client — Linux, macOS, extensive plugin ecosystem.

ACME.sh

Lightweight shell script — DNS-01 plugins for hundreds of DNS providers.

win-acme

Windows-native ACME client — integrates with IIS.

Caddy & Traefik

Built-in ACME — configure SSL.com as your CA endpoint.

cert-manager (K8s)

ACME integration for Kubernetes certificate management.

How to get started

1

Create an SSL.com account

Register at ssl.com — free, no payment required until certificate issuance.

2

Generate ACME credentials

Create ACME account credentials in your SSL.com dashboard.

3

Configure your ACME client

Set SSL.com as the CA in your ACME client (Certbot, ACME.sh, win-acme, Caddy, etc.).

4

Issue your first certificate

Run your ACME client — it will request, validate, and receive a certificate automatically.

5

Schedule renewals

Configure your ACME client to run automatically (cron or systemd) — renewal happens without intervention.

ACME directory URL: https://acme.ssl.com/sslcom-dv/directory (DV) — see full documentation for OV configurations.

Challenge types

HTTP-01
File-based validation

ACME client places a token file at a well-known URL on your server.

Use when: Server is publicly accessible on port 80. Works for single-domain and SAN certs. Not available for wildcards.

DNS-01
DNS TXT record validation

ACME client creates a TXT record at _acme-challenge.yourdomain.com.

Use when: DNS provider supports programmatic updates. Required for wildcards. Works without HTTP server access.

Frequently asked questions

ACME is a protocol — there is no charge for using it. You pay for SSL.com certificates as normal; ACME is simply the mechanism by which they are requested and renewed automatically.
Yes, using the DNS-01 challenge. Your DNS provider must support programmatic TXT record creation. Most major DNS providers have ACME client plugins for DNS-01.
SSL.com supports DV certificates via ACME. OV certificates can also be issued via ACME with an additional organization validation step in your SSL.com account.
Most ACME clients include retry logic and alerting. SSL.com also sends expiry notifications via your account. For production environments, configure alerts so your team is notified.
ACME issues new certificates — it does not automatically migrate existing manually-issued certificates. You can transition by setting up your ACME client and allowing it to issue replacements.
SSL Manager is a Windows desktop GUI — suited for teams that prefer point-and-click and manage a moderate number of certificates. ACME/CLM is fully automated — suited for larger fleets, DevOps pipelines, and environments where certificates must renew without any human action.

Related products & capabilities

SSL Manager

GUI-based alternative for Windows environments — complement for teams that want both.

Learn more

Single Domain TLS/SSL

Most commonly automated via ACME HTTP-01.

Learn more

Wildcard TLS/SSL

Automated via ACME DNS-01 challenge.

Learn more

Multi-Domain TLS/SSL

Multi-SAN ACME orders supported.

Learn more

Automate your certificate renewals

Set up ACME with SSL.com — configure once, renew automatically
Get started with ACME

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance