Jump to content

Automatic Certificate Management Environment

Automatic Certificate Management Environment (ACME) is an IETF standards-track protocol used to automate the issuance, renewal, and revocation of Web PKI certificates by coordinating domain control validation and certificate delivery between a Certification Authority and an automated client.[1] ACME became widely deployed through services such as Let’s Encrypt, which use ACME-based automation to provide domain-validated TLS certificates at scale.[2][3]

Origins[edit | edit source]

ACME was developed to reduce the cost and operational friction of certificate management by standardising an automated CA-to-client interface. The protocol was standardised by the IETF as RFC 8555 in 2019.[1][4]

ACME is designed to be extensible. Additional RFCs define new validation methods and identifier types, including the TLS ALPN-based challenge extension (RFC 8737) and issuance for IP address identifiers (RFC 8738).[5][6]

Operation (High-Level)[edit | edit source]

ACME uses HTTPS requests carrying JSON objects to manage certificate lifecycles. A typical flow is:

  • The client establishes an ACME account (identified by an account key).
  • The client requests an order for one or more identifiers (usually DNS names).
  • The CA issues one or more authorizations containing challenges that prove control over the identifier.
  • After successful validation, the CA issues a certificate and the client deploys it and renews it periodically.[1][3]

Common validation mechanisms include:

  • HTTP-01: proving control by serving a token under a well-known path on the web server.
  • DNS-01: proving control by publishing a DNS TXT record.
  • TLS-ALPN-01: proving control through a specific TLS handshake behaviour (defined as an ACME extension).[7][5]

Considerations[edit | edit source]

Automation[edit | edit source]

As certificate validity periods and revalidation rules tighten, ACME-style automation becomes less optional for many operators. The CA/Browser Forum has adopted policy changes that introduce staged reductions in certificate lifetimes and in the permitted reuse period for domain-control validation data, increasing the frequency of renewal and revalidation events across the ecosystem.[8][9]

Security baseline[edit | edit source]

By lowering the marginal cost of HTTPS deployment and renewal, ACME supports the broader shift toward ubiquitous encryption on the web. While ACME does not change DNS or TLS semantics directly, the practical outcome of large-scale automated certificate issuance is an Internet where on-path inspection and modification of HTTP traffic is increasingly difficult, pushing control and visibility toward endpoints and platforms rather than access networks.

Abuse controls[edit | edit source]

High-volume automated issuance creates incentives for rate limiting and other anti-abuse controls at CA scale. Let’s Encrypt, for example, documents rate limits and related operational constraints that shape how automation is engineered by large hosting platforms and resellers.[10][11]

See Also[edit | edit source]

References[edit | edit source]

  1. 1.0 1.1 1.2 R. Barnes et al., "RFC 8555: Automatic Certificate Management Environment (ACME)", IETF, March 2019.
  2. Let's Encrypt, "Getting Started" (accessed 2026-01-08).
  3. 3.0 3.1 Let's Encrypt, "How It Works" (accessed 2026-01-08).
  4. Let's Encrypt, "The ACME Protocol is an IETF Standard", 11 March 2019.
  5. 5.0 5.1 "RFC 8737: ACME TLS ALPN Challenge Extension", IETF, February 2020.
  6. "RFC 8738: ACME IP Identifier Validation Extension", IETF, February 2020.
  7. Let's Encrypt, "Challenge Types" (accessed 2026-01-08).
  8. CA/Browser Forum, "Ballot SC081v3: Introduce Schedule of Reducing Validity and Data Reuse Periods", 11 April 2025.
  9. CA/Browser Forum, "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" (accessed 2026-01-08).
  10. Let's Encrypt, "Rate Limits" (accessed 2026-01-08).
  11. Let’s Encrypt, "Scaling Our Rate Limits to Prepare for a Billion Active Certificates", 30 January 2025.

X.509 Public Key Infrastructure for the Internet (RFC 5280).

Allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery (RFC 8446).

Request For Comments. Archival series dedicated to documenting Internet technical specifications, including general contributions from the Internet research and engineering community as well as standards documents (RFC Editor Model, Version 3).

HTTP over Transport Layer Security (TLS), distinguishing secured traffic from insecure traffic by the use of a different server port (RFC 2818).

Hypertext Transfer Protocol. Application-level protocol for distributed, collaborative, hypermedia information systems (RFC 2616).

Retrieved from "https://icannwiki.org/index.php?title=Automatic_Certificate_Management_Environment&oldid=1398810"
Semantic properties for "Automatic Certificate Management Environment"
RDF feed