Quick Links: | Understanding ACME Automation | Implementing ACME Automation |
Understanding ACME Automation
Overview of ACME Certificate Automation
The Automated Certificate Management Environment, known as ACME, is a protocol that automates the issuance and renewal of SSL and TLS certificates.
Due to industry changes that are significantly shortening certificate lifetimes, the Division of IT strongly recommends automating certificate renewal.
Why Automation is Important
Certificate maximum lifetimes are being reduced on the following schedule:
- On or after March 12, 2026: Maximum lifetime reduced to 200 days
- On or after March 15, 2027: Maximum lifetime reduced to 100 days
- On or after March 15, 2029: Maximum lifetime reduced to 47 days
Shorter certificate lifetimes require more frequent renewals. When renewals are performed manually, the risk of missing an expiration increases.
Expired certificates are disruptive and can:
- Trigger browser warnings indicating that a website is not trusted
- Interrupt access to web applications and services
- Result in reputational damage
Automating certificate management significantly reduces these risks.
What is ACME Automation
If your server is publicly accessible on both:
- Port 80, HTTP
- Port 443, HTTPS
You can typically use an ACME client with a free Certificate Authority to automate certificate issuance and renewal.
An ACME client will:
- Monitor the certificate’s validity period
- Automatically request a new certificate prior to expiration
- Install the renewed certificate on the server
Implementing ACME Automation
What to Do
If you manage a server that uses SSL or TLS certificates, you should:
- Determine whether your server is publicly accessible on ports 80 and 443.
- Submit a firewall exception request to allow the ACME protocol.
- Implement ACME-based certificate automation
- Test the automated renewal process to ensure certificates renew without manual intervention.
Firewall Requirements
ACME validation requires that the Certificate Authority be able to reach your server during the domain validation process.
You will need to submit a firewall exception request to allow ACME traffic on the firewall rules already in place for the server.
Information Security will review the request and coordinate with Network Operations.
Suggested ACME Clients
win-acme
win-acme is designed for Windows environments.
Windows Server 2022 SSL Certificate Rotation for IIS using Let’s Encrypt and Win-ACME
win-acme Apache configuration example
Certbot
Certbot is available for many operating systems and web servers.
Certbot installation and configuration instructions (Electronic Frontier Foundation)
Recommended Free Certificate Authorities
The following Certificate Authorities support ACME automation:
Let’s Encrypt
Website:
https://letsencrypt.org/
Getting Started:
https://letsencrypt.org/getting-started/
ZeroSSL
Website:
https://zerossl.com/
Getting Started:
https://help.zerossl.com/hc/en-us/categories/360005948793-Getting-Started
Still need help? Contact Information Security for further assistance.
Help us improve our Knowledge Base! Click Yes or No below, then let us know what worked — or what didn’t. Your feedback helps us improve our content and provide the best possible support.