+49 (0) 7245 919 581 info@eunetic.com
[EN]
Login
  1. Home
  2. europeanSSL Knowledge Base
  3. EuropeanSSL ACME CaaS (Certificates as a Service)
  4. What does ACME mean and how does the ACME protocol work?
europeanSSL
Knowledge Base

What does ACME mean and how does the ACME protocol work?

ACME (Automatic Certificate Management Environment) is a protocol for automating the issuance, renewal, management, and also the revocation of SSL/TLS certificates. It standardizes the communication between an ACME client (e.g., on a web server) and the EuropeanSSL ACME server (CA) to enable certificate management without manual intervention.


How does the ACME process with EuropeanSSL work technically?

1
Preparations

In the Eunetic customer interface, an ACME account is created and then all required domain names (including wildcard domains) are enabled for certificate issuance. If OV (organization validation) is desired, the corresponding validations are carried out before the certificate request and assigned to the respective domains.

2
Client Registration & Request
  • An ACME client (e.g., Certbot, win-acme) is installed on the server.
  • The client creates a key pair and registers with the EuropeanSSL ACME server via the corresponding ACME directory URL.
  • Communication takes place REST-based and encrypted via HTTPS – all messages are in JSON format, signed, and protected against replay attacks by nonces.
3
Domain validation via challenge

After applying for a certificate for a domain, EuropeanSSL requires proof of control, usually via an “ACME Challenge”:

  • HTTP-01 Challenge: The client places a file containing a token received from the server at a specific path, usually /.well-known/acme-challenge/<Token>. The EuropeanSSL ACME server retrieves this URL and checks the content and signature.
  • DNS-01 Challenge: A special TXT DNS record is set for the domain, which also contains a token.
  • TLS-ALPN-01 Challenge: Here, a special certificate is provided during a TLS handshake using its own ALPN protocol name (see RFC 8737).

Depending on the challenge, EuropeanSSL actively checks from various locations to make manipulation during validation more difficult.

4
Certificate issuance
  • After successful validation, the client generates a Certificate Signing Request (CSR) that contains all the information necessary for the certificate (including the public key).
  • The CSR is transmitted to the EuropeanSSL server via the ACME protocol.
  • The EuropeanSSL server signs the certificate and makes it available to the client for download – usually as a PEM or DER file for automatic installation.
5
Certificate Renewal and Revocation
  • The ACME client takes care of the timely renewal within the defined validity period of the certificate (usually 90 days) – the entire process is then repeated automatically.
  • A possible revocation (e.g., in case of compromise of the private key) can also be carried out via the ACME specification.


Trust structure & chains

EuropeanSSL uses intermediate and root certificates that are classified as trustworthy on common operating systems and browsers. The certificates are based on a so-called “chain of trust”, with transparent downloads and chain information provided individually for each issued certificate.

  • Security: All communication is TLS-encrypted, all transactions are signed (e.g., with ES256/ECDSA or RS256/RSA).

  • Challenge-based authorization ensures that only the actual domain owner receives certificates.

  • RESTful JSON-API ensures a uniform, script-based automation, even for complex server structures and large numbers of domains.

  • Advanced options: EuropeanSSL certificates support additional validation levels such as Organization and Extended Validation, if necessary.

Related topics:

Was this article helpful?

No Yes
You may also be interested in...
Year in review: The top cyber security threats of 2023 and how to prepare for 2024

The year 2023 has been packed with technological advances, which has also evolved the tactics used by cybercriminals to exploit vulnerabilities and compromise sensitive data.

18.01.2024 IT Security
The importance of regular security audits for your IT infrastructure

In this article, we tackle the critical issue of regular security audits and discuss why these audits are essential, their benefits, and how they work.

31.05.2024 IT Security
The effects of the GDPR on IT security

This article looks at the impact of the GDPR on IT security and explains its role in strengthening data protection safeguards, reshaping cybersecurity strategies and promoting a culture of data protection.

21.06.2024 Data protection
Exploring the Variances Between Email Encryption and Email Authentication

Unlock the secrets of email security! Dive into our comprehensive guide on the crucial roles of email encryption and authentication, their mechanisms, benefits, and best practices.

04.04.2025 E-Mail
Secure Your Business Email Accounts: 10 Essential Steps

Discover how to fortify your business email against cyber threats! Learn the top 9 essential steps in our latest guide to boost your email security and protect sensitive data.

30.05.2025 E-Mail
How to detect and avoid a phishing attack

Protecting Your Business from Phishing Attacks: Types, Dangers, and Prevention Strategies. Learn how to recognize and avoid phishing attacks to safeguard your company's data and reputation.

06.10.2023 IT Security
How to protect your company from insider threats

Insider threats are another major threat to organizations, in addition to external threats. In this article, you will learn what exactly insider threats are, why they arise and how you can protect your company against them.

20.10.2023 IT Security
Security Considerations for Cloud Services

Cloud services offer notable advantages such as scalability, cost-efficiency and accessibility, but also raise significant security concerns that cannot be overlooked. As organizations migrate their operations to the cloud, ensuring the security of sensitive data and resources becomes a priority. While the cloud offers unmatched convenience and flexibility, it also brings new challenges that organizations must address comprehensively.

01.03.2024 Cloud
Top WAF Features to Look for in 2025

Discover the future of web security! Learn the top WAF features in 2025, from AI integration and zero-day attack protection to advanced threat intelligence and API security. Stay ahead in cybersecurity!

27.12.2024 WAF