ACME Posts

Most teams assume internal infrastructure needs a private CA. It doesn’t - and skipping it saves you from a maintenance burden that never fully works anyway.

Any sufficiently complicated SSL certificate renewal system contains an ad hoc, informally-specified, bug-ridden, slow implementation of half a certificate lifecycle manager. I’m taking credit for this one.

Let’s Encrypt ran their first annual mass revocation drill, shortening ARI renewal windows across 3 million production certificates. Here’s what happened.

Certbot solved certificate issuance. It’s great at that. The hard part is everything that happens after: getting the certificate file to every server that needs it, in the right format, with the right permissions, and confirming each one is actually serving it. Nobody handed you a solution for that.

When a CA has to revoke hundreds of thousands of certificates on a short deadline, email notifications aren’t enough. ARI is the protocol that lets the CA tell your client directly: renew now. Here’s how it works, and why most ACME clients can’t actually respond in time.

CertKit now polls Let’s Encrypt multiple times a day to check when each certificate should renew. That means mass revocations happen automatically, without you doing anything. We also added support for 6-day certificates for environments where 90 days isn’t short enough.

Certbot ran. The logs show success. Exit code 0. LinkedIn found out the hard way that renewed and deployed are not the same thing. The verify step is the part of certificate automation nobody builds until after the outage.

Most teams “automate certificates” by installing an ACME client and calling it a day. Then they still ship an outage because the hard parts were never automated: knowing what exists, keeping validation safe, and verifying what’s actually being served.

Your nginx doesn’t need to understand ACME. Your mail server doesn’t need DNS credentials. Your VPN appliance can’t even run CertBot. They just need a certificate file. CertKit handles validation centrally and lets your servers subscribe to certificates.

Let’s Encrypt is cutting certificate lifetimes to 45 days by February 2028, a year ahead of the industry mandate. Here’s the rollout timeline and what changes if you’re still renewing manually.

Every service you onboard wants proof you control your domain. Most want your DNS credentials to automate that proof. There’s a better approach: CNAME delegation lets you authorize a service once without handing over the keys to your entire zone.

A new ACME validation standard coming in 2026 lets you authorize a CA once and never touch DNS again for renewals. The security model is defensible, but even its supporters admit the optics are questionable.

HTTPS went from 40% to over 90% of web traffic in a decade and the ACME protocol made that possible. Here’s how the ACME order flow works, how HTTP-01 and DNS-01 challenges differ, and what ACME still doesn’t handle.

It started as 47 beautiful lines of bash. Now it’s a distributed certificate system built on thousands of command line incantations nobody understands, running on every server and some of the printers. If someone looks at it the wrong way, a certificate expires.