Skip to content
English
Submit Ticket
  • There are no suggestions because the search field is empty.

What Are Digital Certificates, and How Does ACME Work?

Introduction

SSL/TLS certificates are a fundamental part of secure communication on the internet. They protect websites, APIs, applications, and services by encrypting data and verifying domain ownership. As certificate lifetimes continue to shrink, manual management becomes increasingly difficult. This is why ACME automation has become the industry standard.

This article explains what certificates are, how ACME works, why automation matters, and which ACME integration options are available.


What Are SSL/TLS Certificates?

An SSL/TLS certificate is a digital certificate used to secure communication between a client such as a web browser and a server.

Certificates provide two important benefits:

  • Encryption. Data transmitted between users and servers is encrypted and protected against interception.
  • Authentication. The certificate confirms that the website or service actually belongs to the legitimate domain owner.

Without certificates, attackers could intercept sensitive information such as login credentials, personal information, payment data, API traffic, or internal communication.

Certificates are therefore essential for HTTPS websites, APIs, mail servers, Kubernetes ingress controllers, and many other services.

Example: WordPress Website With SSL/TLS

Imagine you run a WordPress website on the domain example.com.

Without an SSL/TLS certificate, visitors would connect to the website using an unencrypted HTTP connection. This means attackers on the same network could potentially intercept WordPress admin logins, contact form submissions, or other sensitive information.

After installing an SSL/TLS certificate, the website uses HTTPS instead of HTTP. The browser can now verify that the website truly belongs to example.com, while all communication between the visitor and the WordPress server is encrypted.

This provides several important benefits:

  • Visitors see the secure padlock icon in the browser
  • WordPress admin logins are protected
  • Contact forms and customer data are encrypted
  • WooCommerce payment traffic is secured
  • Search engines such as Google prefer HTTPS-enabled websites

Without a valid certificate, browsers may display warnings such as “Your connection is not private,” which can reduce trust and cause visitors to leave the website immediately.


Why Domain Validation Is Required

Before a Certificate Authority such as Let's Encrypt or Sectigo can issue a certificate, the domain owner must prove ownership of the domain.

This validation step prevents attackers from generating certificates for domains they do not control.

There are two common validation methods.

1. HTTP Validation

With HTTP validation, the Certificate Authority provides a secret token that must be placed on the web server under a predefined URL path.

Example:

https://example.com/.well-known/acme-challenge/<token>

The Certificate Authority checks whether the token is accessible through the website. If the validation succeeds, the certificate can be issued.

This method is commonly used for traditional web servers.


2. DNS Validation

With DNS validation, the Certificate Authority requests a specific TXT record to be created in the domain’s DNS zone.

Example:

_acme-challenge.example.com TXT "<validation-token>"

The Certificate Authority then verifies the DNS entry using DNS lookups.

DNS validation offers several advantages:

  • It works without a running web server
  • It supports wildcard certificates
  • It is ideal for automation
  • It is suitable for internal services and Kubernetes environments

Many modern ACME integrations automate this process through DNS provider APIs.

The typical automated workflow looks like this:

  1. An API key for the DNS provider is configured
  2. The ACME client requests a certificate
  3. The Certificate Authority provides the required TXT record
  4. The integration automatically creates the DNS entry
  5. The Certificate Authority validates the domain ownership
  6. The certificate is issued
  7. Temporary validation records are removed automatically

This process runs completely unattended.


What Is ACME?

ACME stands for Automatic Certificate Management Environment.

It is an open protocol that standardizes how certificates are requested, validated, issued, and renewed.

ACME was designed to automate certificate management and reduce manual administrative work.

Popular ACME-compatible Certificate Authorities include:

  • Let’s Encrypt
  • Sectigo
  • ZeroSSL
  • Buypass

Without ACME, administrators would need to manually create certificate signing requests, perform validations, download certificates, install certificates, and renew them regularly.

ACME automates the entire lifecycle.


Why ACME Automation Is Important

Certificate Lifetimes Are Becoming Shorter

In the past, SSL certificates were often valid for up to two years.

Today, the maximum lifetime is significantly shorter:

  • Previously up to 2 years
  • Current standard approximately 1 year
  • Future industry direction around 100 days or even 46 days

This means certificates must be renewed multiple times per year for every domain and service.

Manual management quickly becomes impractical at scale.


Improved Security Through Frequent Rotation

Shorter certificate lifetimes improve security.

The principle is similar to password rotation. The longer a credential remains unchanged, the higher the risk of compromise. Frequent renewal reduces the impact of stolen certificates.

If attackers gain access to a certificate and its private key, they could potentially create spoofed websites, impersonate legitimate services, intercept encrypted traffic, or trick users into submitting sensitive information.

Automated certificate renewal minimizes these risks by ensuring certificates are rotated frequently and consistently.


ACME Integration Options with OpusDNS

Different environments require different ACME integration methods. Common options include the following.


Kubernetes Integration

ACME can run directly inside Kubernetes clusters using containerized deployments.
This approach is ideal for cloud-native environments, automated ingress TLS management, and dynamic infrastructure.
Certificates can be automatically requested and renewed within the cluster.

Learn more about our Kubernetes ACME Integration here.


LEGO

LEGO is a Go-based ACME library and client.
It is commonly used by developers who want to integrate ACME functionality directly into Go applications or custom automation workflows.
Advantages include lightweight integration, native Go support, and flexible automation possibilities

Learn more about our LEGO ACME Integration here.


Certbot

Certbot is one of the most widely used ACME clients.
It is written in Python and executed via command line.
Benefits include easy setup, broad community support, compatibility with many Linux distributions, and support for numerous plugins and DNS providers.
Certbot is commonly used on traditional servers and virtual machines.

Learn more about our Certbot ACME Integration here.


acme.sh

acme.sh is a lightweight ACME client written entirely in Bash.
Compared to Certbot, it has minimal dependencies and works well in simple or restricted environments.
Advantages include lightweight deployment, portability, easy shell integration, and support for many DNS provider integrations.

Learn more about our acme.sh Integration here.


Conclusion

SSL/TLS certificates are essential for secure communication and domain authentication on the modern internet.
As certificate lifetimes continue to shrink, manual certificate management becomes increasingly difficult and error-prone.
ACME solves this problem by automating domain validation, certificate issuance, renewal, and certificate rotation.
With automated DNS validation and integrations for Kubernetes, Certbot, LEGO, and acme.sh, organizations can securely manage certificates at scale while reducing operational overhead and improving security.