Popular ACME Clients
Any ACME client that follows RFC 8555 and supports EAB works with FairSSL. Here are the clients we have tested and can help with. The requirements are RFC 8555 compliance, EAB (External Account Binding) support, and a configurable server URL. Using a different client with FairSSL ACME? Contact us and we will help you set it up.
Our recommendations
We recommend clients that support both ARI (RFC 9773) and EAB. ARI works as a daily heartbeat: the client checks in with the CA to see if the certificate needs renewal. This allows FairSSL to monitor that each client is active, signal early renewal during security incidents, and ensure your certificates never expire unexpectedly. Clients without ARI still work, but only renew on a fixed time interval. This becomes an increasing risk as certificate lifetimes shorten: with shorter lifetimes the margin for failed renewals is minimal, and without ARI the client cannot react to changed renewal windows from the CA.
Windows
ACME clients for Windows Server, IIS, Exchange, RDP, SQL Server and other Windows services.
Recommended (ARI + EAB)
IIS, Exchange, RDP, SQL Server, ADFS. Copy the folder, configure, done.
Alternative (EAB only)
Linux
ACME clients for Apache, Nginx, HAProxy, Docker and other Linux-based environments.
Recommended (ARI + EAB)
Python, classic CLI. Newer versions may require extra dependencies via package manager.
Alternative (EAB only)
Network Appliances
Hard ●●●Firewalls, load balancers and network devices typically cannot run native ACME clients. Use an existing Linux or Windows server with a recommended ACME client, and deploy certificates to the devices via script.
Supported devices
Recommended strategy
- 1 Use an existing Linux or Windows server with a recommended ACME client (e.g. Lego or simple-acme)
- 2 FairSSL Auto DNS handles domain validation automatically via permanent CNAME. No DNS API keys or firewall openings needed.
- 3 On successful renewal, a script uploads and activates the certificate on the device (e.g. via F5 iControl REST, PAN-OS API)
Cloud
Same approach as appliances: run an ACME client on an existing server and deploy to cloud services via script. In cloud environments, the deploy step can also run as a cloud function (e.g. AWS Lambda, Azure Functions).
Recommended (ARI + EAB)
Lambda runs Lego via EventBridge, imports to ACM with same ARN. ALB/CloudFront auto-updates.
Alternative (EAB only)
Which client should I use?
The choice depends on your platform, skill set and requirements. Here are our recommendations by scenario:
Windows Server with IIS
simple-acme. Built-in IIS binding, Task Scheduler, ARI.
Linux with Nginx/Apache
Lego is our default recommendation: Go binary with no dependencies, 80+ DNS providers, ARI. Certbot is the classic choice with a large community. Apache users can also consider mod_md for native integration.
Docker / Kubernetes
Caddy or Traefik have built-in ACME and handle certificates automatically. In Kubernetes: cert-manager with FairSSL as ClusterIssuer.
Firewalls and load balancers
Run Lego (Linux) or simple-acme (Windows) on an existing server. FairSSL Auto DNS for validation. Post-renewal script deploys via API (F5 iControl, PAN-OS, FortiOS).
Exchange / RDP / SQL Server
simple-acme with DNS validation and post-renewal script for certificate rebinding. See the RDP/RD Gateway guide.
PowerShell automation / scripting
Posh-ACME is a PowerShell module with full ARI and EAB support. Ideal for existing PowerShell-based deployment pipelines.
Why ARI matters from 2027
With certificate lifetimes dropping to 100 days (2027) and 47 days (2029), ACME shifts from a "nice to have" to critical infrastructure. ARI (RFC 9773) becomes the most important feature in your ACME client.
Heartbeat monitoring
The client checks in daily. FairSSL sees whether the client is active. If it stops polling, we can warn you before the certificate expires.
CA-controlled renewal
The CA determines the optimal renewal time. During security incidents (key compromise, CA incident), the CA can signal immediate renewal.
47-day readiness
With 47-day certificates (2029), renewal must happen roughly every 30 days. Without ARI, you risk all certificates renewing at once. ARI spreads renewals intelligently.
Our most important recommendation in 2026: do not use an ACME solution without ARI if you can avoid it. It is easier to switch clients today (with 200-day certificates and ample margin) than in 2029 under time pressure with 47-day certificates. All our recommended clients support ARI.
What is EAB?
External Account Binding (EAB) ensures that ACME certificate orders can only be placed by your organisation, and that orders and clients are automatically added to your account and monitoring.
You create EAB keys in the FairSSL control panel by clicking Add ACME client. Enter the Key ID and HMAC Key in your client's configuration, and the client is ready.
We sponsor simple-acme and Lego
simple-acme is our preferred ACME client for Windows. It is built by the developer behind win-acme and supports ARI and EAB. Lego is our preferred ACME client for Linux and CI/CD, used by cert-manager and many others. Both clients are actively maintained.
Good open source needs maintenance, and that should not be purely voluntary. FairSSL sponsors both projects so they can continue to evolve. When you use our ACME solution, you help support them too.
Frequently asked questions about ACME clients
Find answers to the most common questions about SSL certificates and FairSSL.
*.example.com, example.com and portal.example.com in one certificate. You can also combine multiple wildcards (*.example.com + *.app.example.com) or wildcards with specific hostnames. All wildcard names require DNS-01 validation.Get started with ACME automation
Create a free account and issue your first certificate in under 10 minutes.