ACME and EAB: Support for Web Servers (Status as of 10/2025)
14 Oct 2025 | Jindřich Zechmeister
Learn how to use ACME and EAB to automate TLS certificates. We compare support on Nginx, Apache, LiteSpeed, and others, tips for DigiCert, and hassle-free implementation.
```htmlACME serves to manage the lifecycle of certificates - from request and installation to renewal. You have been able to use ACME on SSLmarket for several years. Let's take a look at the state of ACME support for individual web servers.
ACME protocol and web servers
The ACME protocol was originally used independently through clients, where you would issue a TLS certificate via some program and this "ACME client" would also install it on the web server. The most well-known ACME client is Certbot, and the initial support for the Apache web server gradually expanded, even to Windows Server and IIS.
The current trend is the integration of the ACME client directly into the web server to obtain and deploy the certificate in a compatible way without needing additional software or interventions. You have "all-in-one". An example of a web server with a built-in ACME client is Caddy or OpenLiteSpeed. Recently, Nginx also gained native ACME support, but it still does not support EAB, so it cannot be used for DigiCert.
What is EAB in ACME
EAB (External Account Binding) is a mechanism in ACME that assigns your ACME client to a specific account at the certification authority. When creating an ACME account, the client uses a pair of data from the CA - the KID identifier and a secret HMAC key - to "pair" with your organization's account. Thanks to this, the CA knows who is requesting the certificate and can apply internal rules and issue even enterprise or paid certificates according to the account settings. EAB does not replace domain verification (HTTP-01/DNS-01); it only ensures that the request comes from an authorized account.
SSLmarket offers a completely unique feature - an overview of all certificates issued via ACME, which we will import to your user account with all metadata and information.
Current ACME support on web servers
The table below shows an overview of ACME protocol integration for individual web servers. Most already have ACME integrated and if they also support EAB, you can use certificates from DigiCert and automate them. You can easily and freely get ACME access in your SSLmarket account.
| Webserver / Platform | Native ACME Client | EAB Support | Type of Implementation | Note / Internal Client |
|---|---|---|---|---|
| Apache HTTP Server | No | Yes (via external client) | External (Certbot, acme.sh, lego…) | Plugin e.g. certbot-apache; EAB handled by client (works with DigiCert ACME). |
| NGINX (until 1.24) | No | Yes (via external client) | External (Certbot, acme.sh…) | Older NGINX without native ACME. |
| NGINX (from 1.25) | Yes | No | Native | Native ACME without EAB; use external client for DigiCert. |
| LiteSpeed / OpenLiteSpeed | Yes | Yes | Native (acme.sh internally) | Integrated client based on acme.sh; EAB fully supported (DigiCert ACME). |
| Caddy | Yes | Yes | Native | Built-in certificate management including EAB. |
| Traefik | Yes | Yes | Native | Internally manages certificates; EAB supported. |
| HAProxy | Partially (via hooks) | Yes (via external client) | External client (acme.sh, Certbot…) | Certificate issued by client; deployment via deploy-hook and reload HAProxy. |
| Lighttpd | No | Yes (via external client) | External client | acme.sh / dehydrated; EAB handled by client. |
| IIS / Exchange (Windows) | Yes | Yes | External (win-acme, Certify The Web) | Fully automatable; EAB supported (DigiCert ACME). |
| Tomcat / Jetty / Java servers | No | Yes (via external client) | External client + hooks | Conversion to JKS/PKCS12; EAB handled by client. |
| Postfix / Dovecot / Exim | No | Yes (via external client) | External client + hooks | Deployment via script; EAB handled by client. |
| Kubernetes (cert-manager) | Yes | Yes | Controller / issuer | EAB support; suitable for DigiCert ACME issuer. |
| Envoy Proxy | Experimental | Partially (via external managers) | Integration via SDS/cert-manager | ACME handled by external controller; EAB depends on client. |
| Cloud Platforms (Cloudflare / AWS / GCP) | Yes (own management) | Internal (outside standard EAB) | Cloud managed | Use external client for DigiCert ACME outside these services. |
Conclusion
You can use ACME to automate certificates practically anywhere. Basic instructions can be found in our help. If you encounter any difficulties or have questions, do not hesitate to contact our customer support.
```TLS certificate specialist
Certificated Sales Expert Plus
e-mail: jindrich.zechmeister(at)zoner.com
