Getting StartedUnderstanding PKICertificate AuthoritiesIssuing CertificatesCertificate LifecycleOCSPACME ProtocolAPI AccessMCP IntegrationWorkspaces

ACME Protocol

Certman supports the Automatic Certificate Management Environment (ACME) protocol (RFC 8555), enabling automated certificate issuance with standard ACME clients like Certbot, acme.sh, Caddy, and Traefik.

How It Works

ACME automates the certificate lifecycle. Instead of manually issuing certificates through the dashboard or API, your servers can request and renew certificates automatically:

  1. Create an ACME credential in the dashboard, bound to a specific CA
  2. Configure your ACME client with the directory URL and EAB credentials
  3. The client proves domain control via HTTP-01 or DNS-01 challenges
  4. Certman issues the certificate from the CA linked to your credential

Creating ACME Credentials

Navigate to ACME in the dashboard sidebar to create credentials. Each credential is bound to a specific CA and consists of:

  • Key ID (kid) — Identifies the credential and determines which CA will issue certificates
  • HMAC Key — Secret used to authenticate the account registration

Important: The HMAC key is only shown once when created. Store it securely. The credential's Key ID determines which CA will be used — no need to specify the CA in the URL.

Directory URL

Certman uses a single ACME directory endpoint for all CAs:

https://acme.certman.app/directory

The CA is determined by the EAB credential you use during account registration — the same directory URL works for all your ACME credentials.

Challenge Types

Certman supports two challenge types to prove domain control:

  • HTTP-01 — Prove control by serving a file at http://domain/.well-known/acme-challenge/token. Works with any web server. Used for most certificates.
  • DNS-01 — Prove control by creating a TXT record at _acme-challenge.domain. Required for wildcard certificates. Works even when HTTP is not accessible.

Client Configuration

Certbot

certbot certonly \
  --server https://acme.certman.app/directory \
  --eab-kid YOUR_KID \
  --eab-hmac-key YOUR_HMAC_KEY \
  --domain example.com \
  --preferred-challenges http

For DNS-01 challenges, use --preferred-challenges dns.

acme.sh

# Register account with EAB
acme.sh --register-account \
  --server https://acme.certman.app/directory \
  --eab-kid YOUR_KID \
  --eab-hmac-key YOUR_HMAC_KEY

# Issue certificate
acme.sh --issue \
  --server https://acme.certman.app/directory \
  -d example.com \
  --webroot /var/www/html

You only need to register the account once. Subsequent requests use the stored account credentials.

Caddy

{
  acme_ca https://acme.certman.app/directory
  acme_eab {
    key_id YOUR_KID
    mac_key YOUR_HMAC_KEY
  }
}

example.com {
  # Your site configuration
}

Caddy automatically obtains and renews certificates when configured with EAB credentials.

Traefik

# traefik.yml
certificatesResolvers:
  certman:
    acme:
      caServer: https://acme.certman.app/directory
      email: you@example.com
      storage: /letsencrypt/acme.json
      eab:
        kid: YOUR_KID
        hmacEncoded: YOUR_HMAC_KEY
      httpChallenge:
        entryPoint: web

Reference the resolver in your service labels with traefik.http.routers.myrouter.tls.certresolver=certman.

Certificate Validity

Certificates issued via ACME have a default validity of 90 days, following industry best practices for automated certificate management. Most ACME clients will automatically renew certificates when they approach expiration (typically at 60 days remaining).

Plan Requirements

ACME is available on Pro and Enterprise plans:

  • Pro — Up to 5 ACME credentials per CA
  • Enterprise — Unlimited ACME credentials

Limitations

  • Passphrase-protected CAs — ACME requires automated access to the CA private key. CAs protected with a passphrase (Zero-Trust Mode) cannot be used with ACME.
  • Revoked CAs — ACME is disabled for revoked CAs. No new certificates can be issued.