Automatic Certificate Management Environment (ACME)

Automated certificate issuance and renewal for apps, services, and Kubernetes — powered by our ECSAPI-based ACME gateway and Keyfactor.

What is ACME & why it matters

ACME automates domain control validation and certificate lifecycle — issuance, renewals, and revocation — via a standard protocol.

  • Reduce outages from expired certs; renew early and automatically.
  • Lower operational toil; integrate into CI/CD and GitOps.
  • Consistent policy enforcement via centralized issuance.

Our architecture

We expose multi-tenant ACME endpoints from ECSAPI and broker enrollment to Keyfactor Command. Directory URLs follow a hierarchy:

/acme/<tenant>/<use-case>/directory

Validation via HTTP-01 or DNS-01. Certificates issued by integrated CAs.

Quick start

  1. Get your Directory URL and EAB key

  2. Pick a client and configure it

  3. Choose HTTP-01 or DNS-01 validation.


High‑level architecture


Supported ACME clients

Certbot

Popular, well‑documented Python client. Works with HTTP‑01 or DNS‑01 for web based apps or servers

certbot certonly --server <DIRECTORY_URL> \ --manual --preferred-challenges http-01 -d example.com -d "*.example.com"

https://certbot.eff.org/certbot.eff.org

cert-manager (Kubernetes)

K8s controller that renews certs automatically using Issuer resources.

apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: { name: keyfactor-acme } spec: acme: server: <DIRECTORY_URL> externalAccountBinding: keyID: <KID> keySecretRef: { name: eab-secret, key: secret } keyAlgorithm: HS256 privateKeySecretRef: { name: keyfactor-acme-account } solvers: - dns01: { route53: { region: us-east-1 } }

https://cert-manager.io/docs/configuration/acme/Docs

Useful links

Designed by ECSAPI Team x Crypto Team | Data Security | © 2025 - Dell Technologies