SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account

How the ACME protocol works

ACME (Automated Certificate Management Environment) is defined in RFC 8555 and automates the entire certificate lifecycle: account registration, domain validation, certificate issuance, and renewal. This page explains the protocol's technical flow step by step.

The ACME protocol lifecycle

An ACME flow has six phases. All communication takes place over HTTPS with JSON payloads signed via JWS (RFC 7515).

1. Directory + newNonce
2. Account newAccount
3. Order newOrder
4. Validation challenge
5. Finalize CSR + signing
6. Certificate download

1 Directory and Nonce

Before the client can send requests, it fetches the server's directory object. The directory contains URLs for all ACME endpoints: newNonce, newAccount, newOrder, revokeCert, keyChange, and metadata such as termsOfService and externalAccountRequired.

The client then fetches a replay nonce via a HEAD request to the newNonce URL. The nonce is included in the JWS header of all subsequent POST requests to prevent replay attacks. The server returns a new nonce in the Replay-Nonce header of every response, so the client always has a fresh nonce ready. 

# Fetch directory
GET https://fairssl.dk/acme

{
  "newNonce":    "https://fairssl.dk/acme/v1/new-nonce",
  "newAccount":  "https://fairssl.dk/acme/v1/new-account",
  "newOrder":    "https://fairssl.dk/acme/v1/new-order",
  "keyChange":   "https://fairssl.dk/acme/v1/key-change",
  "revokeCert":  "https://fairssl.dk/acme/v1/revoke-cert",
  "renewalInfo": "https://fairssl.dk/acme/v1/renewal-info",
  "meta": {
    "termsOfService": "https://www.fairssl.dk/en/terms-of-sale/",
    "externalAccountRequired": true
  }
}

# Fetch initial nonce
HEAD https://fairssl.dk/acme/v1/new-nonce
→ Replay-Nonce: oFvnlFP1wIhRlYS2jTaXbA

renewalInfo in directory. The FairSSL ACME server advertises ARI (RFC 9773) directly in the directory object. Clients that support ARI use this URL to query the optimal renewal time.

2 Account registration (newAccount)

The ACME client creates an account on the ACME server by sending a newAccount request. The client generates an asymmetric key pair (typically ECDSA P-384 or RSA 3072+). The public key is sent to the server as a JWK (JSON Web Key), and all subsequent requests are signed with the private key via JWS.

The key is the account's identity. The ACME server responds with an account URL that the client uses in all subsequent requests. If the key is already registered, the server returns the existing account.

EAB: External Account Binding

FairSSL and other commercial ACME servers use EAB (RFC 8555 §7.3.4) to bind the ACME account to an existing customer account. During account registration, the client includes an externalAccountBinding field with:

  • Key ID (kid): identifies your FairSSL account
  • HMAC Key: a shared secret to sign the binding

Both are generated in the FairSSL portal under ACME settings.

Example: newAccount request

POST /acme/new-account
Content-Type: application/jose+json

{
  "protected": "...base64url(header)...",
  "payload": "...base64url({
    "termsOfServiceAgreed": true,
    "contact": ["mailto:admin@your-domain.com"],
    "externalAccountBinding": {...}
  })...",
  "signature": "...JWS..."
}

The account key is not the certificate key. The ACME account key is used to authenticate requests. The certificate key is generated separately and sent in the CSR step (step 5). These are two independent key pairs.

3 Create order (newOrder)

The client sends a newOrder request with a list of domain names (identifiers). The server returns an order with status pending and a list of authorization URLs, one per domain name. 

// newOrder request payload
{
  "identifiers": [
    { "type": "dns", "value": "your-domain.com" },
    { "type": "dns", "value": "www.your-domain.com" }
  ]
}

// Server response
{
  "status": "pending",
  "expires": "2026-03-19T12:00:00Z",
  "authorizations": [
    "https://acme.fairssl.dk/acme/authz/abc123",
    "https://acme.fairssl.dk/acme/authz/def456"
  ],
  "finalize": "https://acme.fairssl.dk/acme/order/xyz/finalize"
}

Order states

An order goes through the following states (defined in RFC 8555 §7.1.6):

pending ready processing valid

pending: waiting for validations. ready: all domains validated, ready for finalize. processing: the CA is signing the certificate. valid: certificate ready for download. The order can also go to invalid (validation failed) or expired (timeout).

4 Domain validation (challenges)

For each domain, the client fetches an authorization that contains one or more challenges. The client selects one challenge type, responds to it, and tells the ACME server it is ready. The CA verifies the response and marks the authorization as valid.

HTTP-01

The client places a file under /.well-known/acme-challenge/ on port 80. The CA retrieves the file via HTTP GET.

  • Port 80 must be open
  • No redirects allowed
  • Cannot be used for wildcards
  • Each SAN name is validated separately

DNS-01

The client creates a TXT record _acme-challenge.domain with a SHA-256 hash of the token + account key.

  • No open ports required
  • Works behind firewalls
  • Supports wildcards
  • Can be delegated via CNAME

TLS-ALPN-01

The client serves a self-signed certificate with the acmeIdentifier extension on port 443 via ALPN (RFC 8737).

  • Port 443 must be controlled temporarily
  • Rarely used in practice
  • Cannot be used for wildcards

For a detailed walkthrough of each validation method with examples and troubleshooting, see our guide to ACME validation: HTTP-01, DNS-01, and TLS-ALPN-01.

5 Finalize: CSR and certificate signing

When all authorizations are valid, the order transitions to ready. The client now sends a finalize request with a CSR (Certificate Signing Request) in DER format, base64url-encoded.

The CSR contains the public key for the certificate (not the account key) and the requested domain names as Subject Alternative Names. The ACME server verifies that the domain names in the CSR match those in the order, forwards to the CA for signing, and the order transitions to processing. 

// Finalize request
POST /acme/order/xyz/finalize

{
  "csr": "MIIBkTCB...base64url-encoded-DER..."
}

// Server response (order transitions to processing, then valid)
{
  "status": "valid",
  "certificate": "https://acme.fairssl.dk/acme/cert/abc123"
}

Key choice: We recommend ECDSA P-384 or RSA 3072 for most environments. Avoid RSA 2048: it will be the first key size to be blocked when requirements tighten.

CSR domains must match the order. If the CSR contains a domain not in the order, or vice versa, the server rejects with an error. Most ACME clients handle this automatically.

6 Download the certificate chain

When the order is valid, the client fetches the certificate from the URL the server provided in the finalize response. The response is a PEM chain: leaf certificate + intermediate(s). The client installs the certificate and corresponding private key on the server.

ACME clients such as simple-acme, Certbot, and Lego handle the entire installation automatically: they save the certificate and key, bind to IIS/Nginx/Apache, and restart services as needed. 

# Certificate chain (PEM format)
-----BEGIN CERTIFICATE-----
MIIFjTCCBHWgAwIBAgI...  (leaf: your-domain.com)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEtjCCA56gAwIBAgI...  (intermediate: CA)
-----END CERTIFICATE-----

The entire flow from newOrder to certificate typically takes under 15 seconds for DV certificates with HTTP-01 or DNS-01 (assuming DNS has propagated). For FairSSL ACME with Auto DNS, the typical time is under 30 seconds including DNS propagation.

ACME Renewal Information (ARI)

ARI (RFC 9773) is an extension to ACME that lets the CA signal the optimal renewal window for each certificate. Without ARI, clients renew based on a fixed interval (e.g. "30 days before expiry"). With ARI, the client asks daily: "when should I renew this certificate?" and the CA responds with a precise window.

Why ARI is critical from 2026

With shorter certificate lifetimes (200 days from March 2026, 100 days from 2027, 47 days from 2029), the margin for error is minimal. A fixed 30-day renewal interval gives only 17 days of buffer with 47-day certificates. If renewal fails multiple times, the certificate expires.

Without ARI

  • Fixed renewal time (client configuration)
  • CA cannot signal early renewal
  • Revocation requires manual action
  • All clients renew simultaneously (load spikes)

With ARI

  • CA determines the renewal window dynamically
  • Revocation triggers immediate renewal
  • Key compromise: CA can force all clients to renew
  • Load is distributed automatically (randomized within the window)
# ARI endpoint response
GET /acme/renewal-info/certID

{
  "suggestedWindow": {
    "start": "2026-04-15T00:00:00Z",
    "end":   "2026-04-20T00:00:00Z"
  }
}

Our top recommendation for 2026: do not use an ACME client without ARI support if you can avoid it. Simple-acme, Lego, and Certbot 3+ support ARI. See our ACME client overview for a complete comparison.

FairSSL Auto DNS: DNS-01 as a managed service

DNS-01 is the most flexible validation method, but normally requires the ACME client to have API access to your DNS provider. FairSSL Auto DNS eliminates this need with CNAME delegation.

Setup (one-time)

  1. 1 Create a CNAME record: _acme-challenge.your-domain.com CNAME your-domain.com.acme.fairssl.dk.
  2. 2 The ACME client sends a validation request to the FairSSL ACME server
  3. 3 FairSSL creates the TXT record automatically in our validation zone
  4. 4 The CA follows the CNAME chain, finds the TXT record, and the certificate is issued 
# Verify CNAME setup
nslookup -type=CNAME _acme-challenge.your-domain.com
_acme-challenge.your-domain.com  canonical name = your-domain.com.acme.fairssl.dk.

The CNAME record is set up once. After that, FairSSL handles all DNS validation automatically for all future issuances and renewals. See the Auto DNS documentation for details.

Monitoring and operations

Automation is only valuable if you can verify that it works. The FairSSL portal provides an overview of all ACME-managed certificates.

Dashboard

Central overview of all certificates: status, expiry date, last renewal, and CA. Colour codes indicate when certificates are approaching expiry.

Last contact

We record when each ACME client last contacted the server. If a client has not checked in for too long, you receive a notification.

Expiry alerts

Automatic notifications when a certificate is approaching expiry without having been renewed. A safety net against forgotten automation.

Related content

ACME clients

Comparison of simple-acme, Certbot, Lego, and acme.sh.

Auto DNS

DNS-01 validation with CNAME delegation. No API keys required.

FairSSL vs Let's Encrypt

EAB, multi-CA, OV/EV support, and the key differences.

Validation guide

HTTP-01, DNS-01 and TLS-ALPN-01 with examples and troubleshooting.

Simple-ACME guide

Complete setup guide for Windows Server with IIS.

What is SSL?

From basic HTTPS to cipher suites and Certificate Transparency.

Frequently asked questions about ACME

Find answers to the most common questions about SSL certificates and FairSSL.

HTTP-01 requires the ACME client to place a file on port 80, which the CA retrieves. DNS-01 requires a TXT record in DNS. DNS-01 is more flexible: it works behind firewalls, load balancers, and for wildcard certificates.
EAB links your ACME client to your FairSSL account. You generate an EAB Key ID and HMAC Key in the FairSSL portal and provide them during the initial account registration. All subsequent certificate requests from that client are then billed to your account. EAB is defined in RFC 8555 section 7.3.4.
ARI (ACME Renewal Information, RFC 9773) lets the CA tell the client the optimal renewal time. Typically about 33% of the lifetime before expiry. With 200-day certificates (2026) that means renewal approximately every 133 days. With 47-day certificates (2029) approximately every 31 days. The client checks daily and renews automatically.
Yes. Use DNS-01 challenge with FairSSL Auto DNS. You set up a CNAME record pointing to our validation server, and we handle DNS challenges for you. No inbound connections to your server.
Both use the ACME protocol (RFC 8555). Let's Encrypt only issues DV certificates from one CA and requires no account. FairSSL ACME issues from DigiCert, GlobalSign, and Sectigo, supports OV/EV (with prior validation), and uses EAB for account binding. See the full comparison.
ACME clients have retry logic. If the server is unavailable, the client tries again at the next scheduled run (typically daily). With ARI enabled, the client has a renewal window of several days, so brief downtime is unproblematic. Without ARI, renew with good margin (we recommend at least 15 days of buffer).
Yes. Wildcards require DNS-01 validation (specified in RFC 8555). With FairSSL Auto DNS the setup is a single CNAME record. Note that you need two separate validations: one for *.your-domain.com and one for your-domain.com (the apex domain is not covered by the wildcard).

Get started with SSL automation

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates