Comparison of ACME Clients and Help Choosing a Client for EAB ACME
What is the ACME Protocol and an ACME Client
ACME (Automated Certificate Management Environment) is a protocol that enables fully automated issuance, renewal, and management of SSL/TLS certificates. In practice, it eliminates the need for manual CSR generation, domain validation, and certificate installation, which greatly simplifies the entire process and reduces the risk of errors. ACME directly communicates with the certificate authority and uses standardized challenges (e.g., HTTP-01 or DNS-01) to verify that the applicant truly owns the domain. This allows certificates to be obtained within seconds and also to be automatically renewed regularly before expiration.
An ACME client is a tool or software that implements this protocol on the user side. Its task is to communicate with the ACME server (e.g., certificate authority), generate keys, solve validation challenges, and install issued certificates into the server or infrastructure. Well-known ACME clients include Certbot, acme.sh, or integrated tools in modern hosting platforms. A properly configured ACME client allows fully unattended operation – certificates are issued and renewed automatically, which is an ideal solution for scalable environments and secure management of web services.
Overview of ACME Client Features
All ACME clients listed in the table can automatically verify and issue a certificate using ACME, including integration with DigiCert EAB. This is a basic prerequisite for using an ACME client, and if it couldn't do this, there would be no point in listing it in the overview.
| Client | Basic Information and Complexity | Certificate Automation | Technical Parameters | Summary | |||||
|---|---|---|---|---|---|---|---|---|---|
| Operating System | EAB ACME Support | Installation Method | Server Installation | Renewal Scheduling | DNS API Support | Language | Tested | Suitable For | |
| Certbot | Linux, macOS | ✅ Yes | System package (apt / snap) | ✅ Full (Apache, Nginx) | ✅ Automatic (systemd timer) | 50+ (plugins) ⚡ | Python | YES | Recommended, Linux web servers (Apache / Nginx) |
| win-acme | Windows Server | ✅ Yes | Installation wizard (.exe) | ✅ Full (IIS) | ✅ Automatic (Task Scheduler) | 30+ ⚡ | C# (.NET) | YES | Windows Server / IIS |
| Certify The Web | Windows | ✅ Yes | Installer (.msi) | ✅ Full (IIS, Exchange, SQL, API) | ✅ Automatic (custom service) | 100+ (including local scripts) | C# (.NET) | YES | Beginners on Windows, has GUI and post-processing |
| SimpleACME (WACS) | Windows Server | ✅ YES | Zip / Binary .exe | ✅ Full (IIS, RDS, Exchange) | ✅ Automatic (Task Scheduler) | 40+ (incl. Posh-ACME plugins) ⚡ | C# (.NET) | YES | Successor to win-acme for Windows/IIS |
| Cert-manager | Kubernetes (Linux) | ✅ Yes | Helm chart / Manifests | ✅ Full (Ingress / Gateway API) | ✅ Automatic (Controller loop) | 60+ (natively + plugins) | Go | NO | Kubernetes and Cloud-native environments |
| acme.sh | Linux, macOS, Unix | ✅ Yes | Installation script (curl) | ⚙️ Partial (deploy hook) | ✅ Automatic (cron) | 150+ (natively) ⚡ | Shell (Bash) | YES | Recommended, ideal for DNS automation and DevOps |
| Lego | Linux, macOS, Windows | ✅ Yes | Download binary file | ⚙️ Partial (deploy hook) | ⚙️ Requires external scheduler | 180+ (natively) ⚡ | Go | YES | Cloud, Docker, CI/CD |
| Posh-ACME | Windows, Linux (PS Core) | ✅ Yes | PowerShell Gallery | ⚙️ Partial (scripts) | ✅ Automatic (Task Scheduler) | 100+ | PowerShell | Windows automation and scripting | |
| dc-acme | Linux, Windows | ✅ Yes | Installation script (curl / PS) | ⚙️ Partial (Filesystem / Custom handlers) | ✅ Automatic (system service) | UltraDNS, Cloudflare, Route53, Azure | Java / TOML | Enterprise environments (DigiCert MPKI / ONE) | |
✅ Fully automatic – everything proceeds without user intervention.
⚙️ Partially automatic – requires manual setup or script.
⚡ You can use DNS plugin for CZECHIA.COM/RegZone; either it's in the project or separately in GitHub.
How to Choose the Right ACME Client
Choosing an ACME client depends on the goals you have. You may want to simply issue a certificate and work with it manually or via scripts, or you may want to set up full automation of the certificate lifecycle on your web server and not worry about it. These are the criteria that are important when choosing.
The automation of the entire certificate lifecycle consists of several parts that the ACME client must be able to handle:
- Communication with CA - For OV and EV certificates, EAB ACME support from the client is required. Not every client supports EAB; e.g., the native ACME implementation in Nginx does not support EAB.
- Automatic Domain Verification - For every certificate issuance, domain verification (DCV) must be done, or the domain must be pre-validated. Without automatic domain verification, certificates cannot be issued in the future.
- HTTP-01: A verification file is exposed on the server, and CA checks it, using port 80.
- DNS-01: A verification record is set in the domain's DNS zone. To change the DNS record, an API provider DNS plugin is needed (Cloudflare, CZECHIA.COM).
- Certificate Issuance - DV certificates are issued immediately; for OV and EV, the organization must be verified, which is addressed by pre-validation. The issued certificate is saved locally to disk by the ACME client, where the private key is already located. The certificate can be further handled using scripts (deploy-hook).
- Server Installation/Certificate Setup - Setting up (installing) the certificate to the appropriate service on the web server. This requires manipulation and modification of configuration files + service restart. Installation is typically possible only on Apache, Nginx, and IIS web servers.
Not every ACME client meets all the requirements. That's why we've created an overview table to facilitate the selection process.
What to Do If the ACME Client Doesn't Support My Server
It is typical for ACME clients to support setting up issued certificates on the most common web servers - Apache, Nginx, and IIS. Usually, their abilities end there. If you need to automate certificates on a server that is not supported by ACME clients, you need to separate the automation into a certificate issuance phase and a certificate deployment phase.
You can always automate the issuance of a certificate using acme.sh and DNS; you can issue a certificate on any machine and don't have to run ACME directly on the server, as HTTP-01 requires. The issued certificate then needs to be transferred to the target server and deployed there, which needs to be scripted individually according to the specific type of web server.
Consult with Our Support
If this article didn't answer all your questions, feel free to contact our SSLmarket support. Live experts are available to you daily.
