Last time, we talked about how SSL/TLS certificates are getting shorter and shorter, with lifespans potentially dropping to just 47 days by 2029. Sounds like a headache, right? Who wants to manually renew certs every month and a half?
In this follow-up, we’re diving into how you can automate the process using ACME (Automatic Certificate Management Environment), and we’ll check out some of the tools already available to make cert renewals something you don’t have to think about.
ACME was created in 2016 by the Internet Security Research Group. It was originally created to power certificate services for Let’s Encrypt.
The original ACME version was groundbreaking, even though it only supported single domains. In 2018, ACME v2 took things to the next level by adding support for wildcard certificates, multiple subdomains, and domain ownership verification. Adoption skyrocketed when the Internet Engineering Task Force (IETF) officially standardized the protocol in RFC 8555 in 2019. With v2 paving the way forward, ACME v1 was officially phased out in June 2021.
An easy example would be hosting a web server like IIS or Nginx and you want to serve content over HTTPS. To do that, you’ll need a valid SSL/TLS certificate. In a manual process, you'd typically generate a CSR, go to your favorite web hosting company, and purchase a certificate. You'd then need to take that certificate and add it to your web server. This wasn't always a pain if you had a cert that was multiple years old. Could you imagine doing that process every 47 days?
An ACME client can run on that web server and handle certificate-related tasks like issuance and revocation. The client talks directly to a Certificate Authority (like Let’s Encrypt), handles domain verification, and retrieves your certificate. Some tools even go a step further, automatically applying the new certificate to your web server configuration saving you from manual steps.
A quick GitHub search shows over 130 public repositories tagged with "acme-client." Some of the more popular tools you might’ve heard of include Certbot, Certify, and others each built with a specific use case or platform in mind. The best part? Most of them are completely free.
Of course, there are also paid tools that offer enhanced features and support often well worth the investment in the right environment. One solid example is Certify The Web, a Windows-based application that simplifies ACME automation. It can directly update IIS, Remote Desktop Services, and other Windows-based web services with freshly issued certs no manual effort required.
Having worked with various MSPs over the years, I’ve seen more than a few outages caused by certificate issues. When they hit they are inconvenient and these outages come with risks. Be it security, cost, relationships or sanity. It might take you some time to automate the process but that will be time saved in the future. With prebuilt tools at your finger tips, you are closer than ever to fully automating your certificate management.
By automating:
The shift to shorter SSL/TLS lifespans isn’t slowing down but with the right tools and a bit of setup, it doesn’t have to be your problem. Start exploring ACME-based automation today and take “expired certificate” off your list of potential fire drills. We are here to help, whether you're managing one server or a fleet, automation is the future and it’s never been more accessible.
Have you ever had that one computer at a specific customer that always seems broken? If you've ever looked at ticket metrics, you might find these devices poking their heads up. We all have them. Devi...
Read More
