ACME (Automated Certificate Management) (ACME)
A protocol for automating TLS certificate issuance and renewal. Created by Let's Encrypt and standardized as RFC 8555. Enables CDNs to provision certificates for millions of domains automatically.
Full Explanation
ACME (Automatic Certificate Management Environment) automates the process of getting, renewing, and revoking TLS certificates. Before ACME, getting an SSL cert meant generating a CSR, emailing it to a CA, waiting hours or days, then manually installing it. ACME replaced all of that with an API that handles everything in seconds.
The protocol works through domain validation challenges. When you request a cert for example.com, the ACME server needs proof you control that domain. There are three main challenge types. HTTP-01 requires you to serve a specific token at http://example.com/.well-known/acme-challenge/{token}. DNS-01 requires you to create a TXT record at _acme-challenge.example.com. TLS-ALPN-01 uses a special self-signed cert during the TLS handshake on port 443.
For CDNs, ACME is what makes universal SSL possible. Cloudflare provisions certs for every domain on their platform using ACME. When you add a domain, their systems automatically request a certificate, complete the challenge, and deploy it to all edge servers. This happens in minutes without any manual intervention.
DNS-01 is the most flexible challenge type and the one CDNs typically prefer. It works even when port 80 or 443 isn't directly accessible, supports wildcard certificates, and can be completed before traffic is routed to the CDN. The downside is you need API access to the DNS provider.
Certificate renewal is where ACME really shines. Certbot and other ACME clients check cert expiry and automatically renew before they expire. Let's Encrypt certs are valid for 90 days (intentionally short to encourage automation), so reliable renewal is essential. Most ACME clients renew at 60 days, giving a 30-day buffer.
Beyond Let's Encrypt, other CAs now support ACME too: Google Trust Services, ZeroSSL, Buypass. CDN providers often have their own CA relationships but use ACME as the underlying protocol. Fastly, for example, uses ACME with Let's Encrypt and other CAs to provision certs for customer domains.
The security model is solid. Private keys never leave the client. The CA only sees the CSR and validates domain control. Rate limits prevent abuse (Let's Encrypt allows 50 certs per registered domain per week). And the entire process is logged in Certificate Transparency logs.
Examples
# Install certbot and get a certificate
sudo apt install certbot
sudo certbot certonly --standalone -d example.com
# Using DNS-01 challenge (for wildcards)
sudo certbot certonly --manual --preferred-challenges dns \
-d "*.example.com" -d example.com
# Auto-renewal with certbot (runs as systemd timer)
sudo certbot renew --dry-run
# Nginx reload hook after renewal
sudo certbot renew --deploy-hook "systemctl reload nginx"
# Check certificate expiry
openssl s_client -connect example.com:443 -servername example.com \
2>/dev/null | openssl x509 -noout -dates
# notBefore=Mar 1 00:00:00 2026 GMT
# notAfter=May 30 00:00:00 2026 GMT
# ACME account registration (RFC 8555)
curl -X POST https://acme-v02.api.letsencrypt.org/acme/new-acct \
-H "Content-Type: application/jose+json" \
-d '{"protected":"...","payload":"...","signature":"..."}'Frequently Asked Questions
A protocol for automating TLS certificate issuance and renewal. Created by Let's Encrypt and standardized as RFC 8555. Enables CDNs to provision certificates for millions of domains automatically.
# Install certbot and get a certificate
sudo apt install certbot
sudo certbot certonly --standalone -d example.com
# Using DNS-01 challenge (for wildcards)
sudo certbot certonly --manual --preferred-challenges dns \
-d "*.example.com" -d example.com
# Auto-renewal with certbot (runs as systemd timer)
sudo certbot renew --dry-run
# Nginx reload hook after renewal
sudo certbot renew --deploy-hook "systemctl reload nginx"
# Check certificate expiry
openssl s_client -connect example.com:443 -servername example.com \
2>/dev/null | openssl x509 -noout -dates
# notBefore=Mar 1 00:00:00 2026 GMT
# notAfter=May 30 00:00:00 2026 GMT
# ACME account registration (RFC 8555)
curl -X POST https://acme-v02.api.letsencrypt.org/acme/new-acct \
-H "Content-Type: application/jose+json" \
-d '{"protected":"...","payload":"...","signature":"..."}'Related CDN concepts include:
- TLS (Transport Layer Security) (TLS) — The encryption protocol that secures HTTPS connections. TLS encrypts data in transit between client and …