TLS & PKI

What is ACME Protocol?

Also known as: ACME

Definition

ACME (Automated Certificate Management Environment) is a protocol that automates the issuance, renewal, and revocation of TLS certificates, defined in RFC 8555.

The Automated Certificate Management Environment (ACME) protocol is an IETF standard (RFC 8555, published March 2019) that enables a client to automatically request, validate, obtain, and manage X.509 TLS certificates from a certificate authority (CA). It replaces manual certificate lifecycle workflows with machine-readable, challenge-response interactions.

A client proves control over a domain by completing one or more authorization challenges defined in the protocol, such as provisioning a specific HTTP resource (HTTP-01) or a DNS TXT record (DNS-01). Once validated, the CA issues the certificate. The protocol also handles renewal well before expiration and supports certificate revocation. ACME uses JSON as the payload format and exchanges messages over HTTPS to a well-known API endpoint at the CA.

ACME was originally designed by the Internet Security Research Group (ISRG) for Let's Encrypt, which began issuance in December 2015. Its standardization made automated certificate management interoperable beyond a single CA. Today, ACME is the dominant method for obtaining publicly trusted TLS certificates at scale, replacing older practices like manual CSR uploads and email-based validation. Many CAs, including Google Trust Services, DigiCert, and ZeroSSL, now offer ACME-compatible APIs.

Key facts

  • Defined in RFC 8555, published March 2019, standardized by the IETF ACME working group.
  • Uses HTTP-based challenge-response to verify domain control before certificate issuance.
  • Supports HTTP-01, DNS-01, and TLS-ALPN-01 validation methods.
  • Let's Encrypt, the first major ACME CA, has issued over 300 million certificates as of 2024.
  • ACME automates renewal, revocation, and supports certificate lifecycle management without human intervention.

How it works in practice

A system administrator deploys an ACME client like Certbot on a web server. The client contacts Let's Encrypt's ACME endpoint, requests a certificate for example.com, and proves domain control by placing a token file at http://example.com/.well-known/acme-challenge/. Let's Encrypt verifies the file, issues the certificate, and the client installs it. 90 days later, the client automatically renews before expiry, keeping the server continuously trusted without manual steps.

Related terms

Let's Encrypt X.509 TLS/SSL Certificate Authority (CA) Domain Validation (DV) Certbot PKI (Public Key Infrastructure)

References

More in TLS & PKI

Certificate Authority

A Certificate Authority (CA) is a trusted entity that issues digital certificates after verifying that the requester controls the domain or identity named in the certificate.

Certificate Chain

A certificate chain is an ordered list of certificates, starting with the server certificate and ending with a root CA, that a client validates to establish trust in the server's identity.

Certificate Pinning

A security technique where an application trusts only a specific, pre-selected certificate or public key for a given server, bypassing the standard chain of trust.

Cipher Suite

A cipher suite is a named set of cryptographic algorithms negotiated during a TLS handshake, specifying key exchange, authentication, encryption, and integrity protection for secure communications.

Domain Validation

Domain Validation (DV) is the lowest level of certificate validation used in TLS/SSL, where the certificate authority verifies only that the applicant controls the domain name, typically via an HTTP or DNS challenge.

ECH

Encrypted Client Hello (ECH) is a TLS extension that encrypts the Client Hello message, including the Server Name Indication (SNI), to prevent on-path observers from learning the target hostname during the handshake.

Extended Validation

Extended Validation (EV) is the highest level of TLS certificate assurance, requiring the certificate authority to perform rigorous, human-verified checks on the legal identity and operational existence of the requesting organization before issuance.

HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that forces browsers to interact with a website only over HTTPS, preventing downgrade attacks and cookie hijacking.

Intermediate Certificate

An intermediate certificate is a subordinate CA certificate signed by a root CA, used to sign end-entity certificates and enable path validation while the root remains offline.

Let's Encrypt

Let's Encrypt is a free, automated, public certificate authority operated by the Internet Security Research Group (ISRG) that issues short-lived Domain Validation (DV) TLS certificates via the ACME protocol.

Who Is Online

In total there are 66 users online: 0 registered, 57 guests and 9 bots.

Most users ever online was 1,226 on 13 Jun 2026, 3:56 am.

Bots: AhrefsBot Applebot Baiduspider Bingbot Facebook Googlebot Other Bot Other Crawler SemrushBot

Users active in the past 15 minutes. Total registered members: 356