This site requires JavaScript to be enabled
An updated version of this article is available

Using ACME for automated SSL/TLS certificate management


7.0 - Updated on 2024-06-01 by Jonathon Taylor

6.0 - Updated on 2024-06-01 by Jonathon Taylor

5.0 - Updated on 2024-06-01 by Jonathon Taylor

4.0 - Updated on 2024-06-01 by Jonathon Taylor

3.0 - Updated on 2024-06-01 by Jonathon Taylor

2.0 - Updated on 2024-06-01 by Jonathon Taylor

1.0 - Authored on 2023-07-11 by Jonathon Taylor


The Automated Certificate Management Environment (ACME), is a protocol that makes it possible to automate the issuance and renewal of certificates.  ACME is primarily used to obtain domain validated (DV) certificates and is commonly done using the free Let's Encrypt certificate authority (CA) service.  Alternatively, organization validated (OV) certs may be obtained when using the Sectigo / InCommon CA's ACME service.   There is no substantive difference between the types of certificates; however your choice of CA may be influenced by your server's network configuration.


ACME + Sectigo / InCommon

ACME + Let’s Encrypt

Maximum certificate validity

365 days

90 days

Who can use it?

Berkeley Departments


Obtain and install certificates fully automatically



Renew certificates fully automatically



Does each ACME client need to successfully complete a challenge for Domain Control Validation?

No, domains are pre-validated when they are delegated


ACME credentials used to initially set up a new server or device

Obtained and installed manually

Obtained automatically

Central management and reporting

Yes, for departments that have access to the InCommon Certificate Manager web app


University-wide support contract



Staging environment





Internet-available sites

If your web server is open to the Internet (even if it requires authentication), the simplest and most secure option for automating certificates using ACME is to select one of the free CAs that provide ACME support.  For example, both Let's Encrypt and ZeroSSL provide free and trusted SSL certificates as long as your web server can be reached via HTTP on the Internet.

Firewalled sites

If you manage web servers that are not open to the Internet, or if you manage a mix of open/firewalled servers and want a consistent configuration and/or process then you can use the Sectigo/InCommon CA's ACME service.  The InCommon CA provides OV certificates via ACME but requires a more complex configuration than the public CAs listed above.

Protecting ACME secrets

Unlike Let's Encrypt implementation of ACME, Sectigo's implementation provides ACME secrets that cover many domains, not a single domain. This means the ACME secrets need to be handled with exceptional care because if they are compromised they can be used to request an unlimited number of certificates for any of the delegated domains assigned to the ACME account.

As a result, secrets should not be shared over insecure communication methods or stored in environments that are not expected to be secure. Access to systems that contain ACME secrets should be limited to only those who require it. One recommended way to do this is to configure a centralized server that will request and share out the certificates as needed.

Centralized vs Decentralized Management

When using Sectigo's ACME service, it is highly encouraged that users implement a centralized solution for certificate requests and distribution, especially if you are responsible for requesting a large number of certificates.  This has the benefit of protecting your ACME secrets by limiting the number of locations they are saved.

A centralized management approach requires configuring a server/container to act as a central server that will request all certificates, and scripts or configuration management tools (e.g. Puppet, Ansible) to distribute and install certificates from the central server to the application hosts. If you run Windows IIS another potential solution is to use IIS Centralized SSL Certificate Support.

ACME Clients

Sectigo recommends Certbot as their supported ACME client.  The Electronic Frontier Foundation provides excellent instructions for installing certbot on your server.  Please visit and follow the instructions based on your web server software and operating system.

In addition, "unsupported" clients such as win-acme are known to work well.

For reverse proxies, Apache now supports ACME natively and the Berkeley Information Security Office and Identity Management Team have had good luck using Caddy with built-in ACME and support for EAB.  Certbot has integrations for Nginx.

Process for Let’s Encrypt or ZeroSSL

For more information see:

Process for Sectigo/InCommon



This process involves creating an ACME account for each host or group of hosts for an application.  The goal is to limit the number of domains assigned to a given ACME account.  While you may use a single ACME account for all of your delegated domains, it increases the blast radius risk if an ACME secret were exposed.  The process outlined below attempts to reduce risk.  For example:

Application may have several domains:

You also manage with a similar set of domain names.   In this case you would create 2 ACME accounts, one for each application: dept_myapp1 and dept_myapp2.  You would then scope each ACME account to the relevant domains and distribute the EAB key for myapp1 only to the systems hosting that site.


  1. Log into the Cert-Manager site.
  2. Navigate to Domains and expand to see your list of delegated domains.
  3. Further expand the domain for which you will configure ACME.  If you do not see the FQDNs of the certificates you will be creating via ACME you will need to add them. 

    NOTE:  This is normally not required for manual certificate requests as long as you have the top-level domain.  To secure your ACME accounts, you need to add all of the FQDNs as listed domains

  4. In this example we will use ACME to issue certificates to but it's not listed, so we will add it now.

  5. Click the green plus button in the upper right corner of the screen and enter the FQDN.  Then check the box for SSL Certificate next to your department and Save the domain.

  6. Add any additional FQDNs that will be requested by ACME.
  7. Navigate to Enrollment > ACME.
  8. Select the checkbox next to
  9. Select Accounts.
  10. Click the green plus button in the upper right corner of the screen to add a new ACME account.
  11. Enter a name for the account, for this example something like training_app1 would make sense.
  12. Note that your department is automatically filled in.
  13. Next, click the plus sign next to Domains.

  14. Now add any FQDNs for this ACME account / endpoint.  Note that wildcard domains should never be assigned to an ACME account.  In this example both and are used by the application so have been added to this ACME account.  Save the account.

  15. The next screen will display the ACME account's External Account Binding (EAB) details.  Please treat these as sensitive secrets!  These should be stored in some sort of password manager or vault and only exist in the ACME configuration for your system(s).  You will need the ACME URL, Key ID, and HMAC key for your ACME client.

  16. You can now configure an ACME client that supports EAB.  Currently the only client supported by Sectigo / InCommon is Certbot.
  17. The ACME setup isn't complete until you connect to the InCommon/Sectigo ACME server with an ACME client.  See the section "Connect to the Sectigo ACME Service" for more details.

Install Certbot in your environment

Sectigo recommends Certbot as their supported ACME client.  The Electronic Frontier Foundation hosts an excellent set of instructions for installing certbot on your server.  Please visit and follow the instructions based on your web server software and operating system.

Connect to the ACME Service

In order to connect to the Sectigo ACME Service you'll need to use the command line sequence appropriate for your operating system and selected ACME client.  This is an example using certbot.

Key ID: insert  key ID
HMAC Key: insert HMAC key

Certbot requires admin privileges. Here are example commands that will use certbot to connect to the InCommon ACME service, complete your account setup, and get your first certificate.

Depending on your platform, web server, ACME plug-ins, etc, this may not be the way you obtain subsequent certs. See the certbot documentation at 
sudo certbot certonly --standalone --non-interactive --agree-tos --email {} --server --eab-kid {Key ID} --eab-hmac-key {HMAC Key} --domain {domain name used as CN for the cert} --cert-name {short friendly name for cert}
Start a CMD window as an admin account, then:
certbot certonly --standalone --non-interactive --agree-tos --email {} --server --eab-kid {Key ID} --eab-hmac-key {HMAC Key} --domain {domain name used as CN for the cert} --cert-name {short friendly name for cert}
Note: Any domains you reference in your ACME request must first be added to InCommon certificate services (if they don't already exist there), then they must be delegated to your department, and then delegated to your departmental ACME account.
This isn't the way the Let's Encrypt service works, but it is the way the InCommon ACME service works.