What is ACME and why it’s about to become essential

Ever wish SSL management were easier? We recently wrote about upcoming SSL lifetime changes and how, soon, manually managing SSL certificates will likely become more difficult to maintain. Before, certificate validity lasted years. By 2029, it will only be 47 days. 

That’s why automation is the future. And central to this automation is a technology called ACME. Here’s everything you need to know.

What is ACME?

ACME is short for Automated Certificate Management Environment and is standardized as RFC 8555 by the IETF. It was originally developed by the Internet Security Research Group, the organization behind Let’s Encrypt. Today, ACME is supported by many major certificate providers for the management of domain validation (DV) certificates. 

The ACME protocol lets servers and Certificate Authorities (CA) handle everything to do with SSL management automatically. This includes requesting, validating, issuing, renewing, and even revoking SSL certificates without doing anything manually. This means SSL owners don’t have to download any files, validate domains, upload certificates, or schedule reminders. Everything happens in the background. 

Why was ACME created?

While manually managing SSL certificates is easy enough while managing one or a small number of websites, it can become unwieldy for multiple domains with multiple certificates. That’s because manually managing even one SSL involves a lot of steps:

• Generating a CSR
• Submitting the SSL request to a certificate authority
• Sometimes proving business ownership
• Downloading issued certificates
• Manually installing certificates
• Tracking the expiration date
• Repeating the process every renewal cycle

The more domains you have, the higher the risk of mistakes happening along the way, potentially leaving certain sites insecure and at risk. For instance, if certain certificates expire without notice, or are incorrectly installed. 

The creators of ACME recognized that certificate management contained many repetitive tasks that could be safely automated. So, they wanted to make HTTPS deployment easier while reducing the risk of human error.

How ACME works

Securing your site with ACME works as follows:

1. An ACME client installed on your server requests a certificate from a CA
2. The CA asks the client to prove control over the domain
3. The client completes a validation challenge
4. The CA issues the certificate, and the client installs it
5. The renewal process repeats automatically before expiration

The domain validation challenge can be one of the following: 

• HTTP – This involves uploading a file to your server
• DNS – This involves adding a TXT to your DNS settings
• TLS-based – The CA connects a mini TLS connection and checks for a special certificate

How ACME helps prevent downtime

One of the biggest benefits of ACME is that it dramatically reduces the risk of certificate expiration. Certificate-related downtime often happens because renewal processes depend on people remembering deadlines. Other possibilities include renewal reminders going to a former employee, or if an installation succeeds on one server but not another. A lot can go wrong without someone noticing. 

This then results in browsers showing security warnings and services becoming unavailable, consequently leading to users losing trust. 

ACME’s automation addresses this problem. Instead of relying on calendars and spreadsheets, systems continuously monitor certificate status and renew certificates before expiration. It isn’t foolproof, but it’s a much more reliable method than manual management.

Isn’t ACME just for Let’s Encrypt?

This is one of the most common misconceptions about ACME. Although Let’s Encrypt was the first major CA to implement ACME at scale, it’s not tied to a single provider. Today, ACME support exists across much of the certificate industry, with many CAs offering it. CAs offering ACME include:

• Let’s Encrypt
• SSL.com
• DigiCert
• Sectigo
• Many enterprise PKI platforms

So if you’re interested in using ACME, you most likely won’t need to switch CA to do it. 

Who should be using ACME?

Everyone who manages DV SSL certificates, especially if they have a large inventory to keep track of. So this includes:

• Website owners – Automatic renewals reduce the chance of website outages caused by expired certificates.
• Hosting providers – Managing certificates across hundreds or thousands of customer websites becomes far more efficient.
• DevOps teams – ACME integrates naturally into infrastructure automation workflows.
• Enterprise IT departments – Certificate lifecycle management becomes more scalable and predictable.
• IoT/connected devices – Simplifies certificate management across large numbers of connected devices.

Final thoughts

As SSL certificate lifetimes continue shrinking and certificate management becomes more demanding, organizations need reliable ways to automate repetitive tasks without sacrificing security. One way to do that is ACME. By 2029, ACME will likely be an SSL management essential for any person or organization dealing with DV SSL certificates. If you want to get ahead, get started with this checklist:

• Audit your certificate inventory
• Identify which ones are still renewed manually
• Check whether your CA supports ACME
• Test automated renewals before adopting broadly

FAQ

What does ACME stand for?

ACME stands for Automated Certificate Management Environment.

Is ACME an SSL certificate?

No. ACME is a protocol used to automate certificate issuance, validation, renewal, and management.

Does ACME only work with Let’s Encrypt?

No. Many certificate authorities and enterprise PKI platforms support ACME.

Why is ACME becoming more important?

Because certificate lifetimes are becoming shorter, making manual renewal processes increasingly difficult to manage.

Will ACME become mandatory?

Since ACME is only for DV SSL certificates, it’s very unlikely. But as certificate lifetimes move toward 47 days, automation in general may become unavoidable for many organizations.