Comparison of ACME Clients and Assistance with Choosing a Client for EAB ACME
What is the ACME Protocol and an ACME Client
ACME (Automated Certificate Management Environment) is a protocol that fully automates the issuance, renewal, and management of SSL/TLS certificates. In practice, it eliminates the need for manual generation of requests (CSR), domain validation, and certificate installation, significantly simplifying the whole process and reducing the risk of errors. ACME communicates directly with the certificate authority and uses standardized challenges (e.g., HTTP-01 or DNS-01) to verify that the applicant actually owns the given domain. Thanks to this, certificates can be obtained within seconds and also regularly renewed automatically before expiration.
An ACME client is a tool or software that implements this protocol on the user side. Its task is to communicate with the ACME server (e.g., certificate authority), generate keys, solve validation challenges, and install issued certificates into the server or infrastructure. Known ACME clients include Certbot, acme.sh, or integrated tools in modern hosting platforms. A correctly configured ACME client enables fully unattended operation – certificates are issued and renewed automatically, which is an ideal solution for scalable environments and secure management of web services.
Overview of ACME Client Features
All ACME clients listed in the table can automatically verify and issue a certificate using ACME, including integration with DigiCert EAB. This is a basic prerequisite for using an ACME client, and if it couldn't do that, there would be no point in listing it in the overview.
| Client | Basic Information and Complexity | Certificate Automation | Technical Parameters | Summary | |||||
|---|---|---|---|---|---|---|---|---|---|
| Operating System | EAB ACME Support | Installation Method | Server Installation | Renewal Scheduling | DNS API Support | Language | Tested | Suitable for | |
| Certbot | Linux, macOS | ✅ Yes | System Package (apt / snap) | ✅ Full (Apache, Nginx) | ✅ Automatic (systemd timer) | 50+ (plugins) ⚡ | Python | YES | Recommended, linux web servers (Apache / Nginx) |
| win-acme | Windows Server | ✅ Yes | Installation Wizard (.exe) | ✅ Full (IIS) | ✅ Automatic (Task Scheduler) | 30+ ⚡ | C# (.NET) | YES | Windows Server / IIS |
| Certify The Web | Windows | ✅ Yes | Installer (.msi) | ✅ Full (IIS, Exchange, SQL, API) | ✅ Automatic (custom service) | 100+ (including local scripts) | C# (.NET) | YES | Beginners on Windows, has GUI and post-processing |
| SimpleACME (WACS) | Windows Server | ✅ YES | Zip / Binary .exe | ✅ Full (IIS, RDS, Exchange) | ✅ Automatic (Task Scheduler) | 40+ (incl. Posh-ACME plugins) ⚡ | C# (.NET) | YES | Successor to wim-acme for Windows/IIS |
| Cert-manager | Kubernetes (Linux) | ✅ Yes | Helm chart / Manifests | ✅ Full (Ingress / Gateway API) | ✅ Automatic (Controller loop) | 60+ (natively + plugins) | Go | NO | Kubernetes and Cloud-native environments |
| acme.sh | Linux, macOS, Unix | ✅ Yes | Installation script (curl) | ⚙️ Partial (deploy hook) | ✅ Automatic (cron) | 150+ (natively) ⚡ | Shell (Bash) | YES | Recommended, ideal for DNS automation and DevOps |
| Lego | Linux, macOS, Windows | ✅ Yes | Download binary file | ⚙️ Partial (deploy hook) | ⚙️ External scheduler needs configuration | 180+ (natively) ⚡ | Go | YES | Cloud, Docker, CI/CD |
| Posh-ACME | Windows, Linux (PS Core) | ✅ Yes | PowerShell Gallery | ⚙️ Partial (scripts) | ✅ Automatic (Task Scheduler) | 100+ | PowerShell | Windows automation and scripting | |
| dc-acme | Linux, Windows | ✅ Yes | Installation script (curl / PS) | ⚙️ Partial (Filesystem / Custom handlers) | ✅ Automatic (system service) | UltraDNS, Cloudflare, Route53, Azure | Java / TOML | Enterprise environments (DigiCert MPKI / ONE) | |
✅ Fully automatic – everything happens without user intervention.
⚙️ Partially automatic – requires manual setup or scripting.
⚡ You can use DNS plugin for CZECHIA.COM/RegZone; either in the project or separately on Github.
How to Choose the Right ACME Client
The choice of an ACME client depends on your goals. You may only want to issue a certificate and work with it manually or using scripts, or you want to set up complete automation of the certificate lifecycle on a web server and not worry about it afterward. These are the criteria important for the selection.
Automation of the entire certificate lifecycle consists of several parts that the ACME client must be able to solve:
- Communication with CA - for OV and EV certificates, EAB ACME support is required on the client's side. Not every client supports EAB; for example, native ACME implementation in nginx does not support EAB.
- Automatic Domain Validation - with each certificate issuance, domain validation (DCV) must occur, or the domain must be pre-validated. Without automatic domain validation, certificates will not be issuable in the future.
- HTTP-01: A validation file is exposed on the server and checked by the CA, using port 80.
- DNS-01: The validation record is set in the domain's DNS zone. To change the DNS record, a plugin for the DNS provider API is needed (Cloudflare, CZECHIA.COM).
- Issuing Certificates - DV certificates are issued immediately, for OV and EV, the organization used must be verified, which is solved by pre-validation. The issued certificate is stored locally on disk by the ACME client, where the private key is already located. The certificate can then be further manipulated using scripts (deploy-hook).
- Installation/Setup of the Certificate on the Server - setting (installing) the certificate to the appropriate service on the web server. This requires manipulation and editing of configuration files and service restart. Installation is typically possible only on Apache, nginx, and IIS web servers.
Not every ACME client meets all requirements. Therefore, we created an overview table to facilitate selection.
What to Do If the ACME Client Does Not Support My Server
It is typical for ACME clients to be able to set the issued certificate on the most common web servers - Apache, nginx, and IIS. Often, that's where their capabilities end. If you need to automate certificates on a server that is not supported by ACME clients, you need to split the automation into the issuance phase and the deployment phase of the certificate.
You can always automate the issuance using acme.sh and DNS; you can thus issue the certificate on any machine without needing to run ACME directly on the server, as HTTP-01 requires. The issued certificate then needs to be transferred to the target server and deployed there, which must be scripted individually according to the specific type of web server.
Consult with Our Support
If this article did not answer all your questions, do not hesitate to contact our SSLmarket support. Live experts are available to you daily.
