As certificate lifespans shrink and infrastructure scales, manual renewal is no longer viable. Automation protocols like ACME, SCEP, EST, and CMP let machines handle enrollment, renewal, and revocation without human intervention.
For years, certificate management was a manual process. An administrator would generate a key pair, submit a Certificate Signing Request, wait for approval, download the certificate, install it on the server, and set a calendar reminder to do it all again before expiration. This approach worked when organizations managed a handful of certificates with one or two year lifespans.
That era is over. Modern infrastructure can involve thousands of certificates across cloud environments, container orchestrators, IoT fleets, and microservice architectures. At the same time, the industry is moving toward shorter certificate lifespans, with 90-day certificates already standard for public TLS and 47-day lifespans on the horizon. When you multiply thousands of certificates by renewals every few weeks, the math is clear: automation is not optional.
Fortunately, several protocols have been developed specifically to automate certificate enrollment, renewal, and revocation. Each protocol was designed for a different era and a different set of use cases. Understanding their strengths and limitations is essential for choosing the right approach for your environment.
The ACME client registers with the CA by creating an account and agreeing to the terms of service. This establishes a key pair that authenticates all subsequent requests.
The client proves control of the domain by completing one of several challenge types: HTTP-01 (placing a file on the web server), DNS-01 (creating a DNS TXT record), or TLS-ALPN-01 (responding on the TLS layer). DNS-01 is particularly useful for wildcard certificates and internal systems.
Once the challenge is verified, the client submits a CSR and the CA issues the certificate. The entire process, from request to installed certificate, can complete in seconds without any human interaction.
ACME clients are typically configured to check certificate expiration and renew automatically (often at two thirds of the certificate's lifetime). This eliminates the risk of forgetting a renewal entirely.
| ACME | SCEP | EST | CMP | |
|---|---|---|---|---|
| Standard | RFC 8555 | Internet Draft | RFC 7030 | RFC 4210 |
| Best For | Web servers, TLS | Legacy devices, MDM | Modern devices, IoT | Telecom, industrial |
| Transport | HTTPS | HTTP | HTTPS | HTTP, HTTPS, TCP |
| Renewal | Automatic | Re-enrollment | Native re-enrollment | Native renewal |
| Complexity | Low | Low | Medium | High |
| Revocation | Supported | Not supported | Not native | Native |
Multi-protocol support — Evertrust PKI natively supports ACME, SCEP, EST, and CMP, giving you a single CA platform that speaks every protocol your infrastructure needs. No separate servers or gateways required.
Unified lifecycle tracking — Evertrust CLM tracks every certificate regardless of protocol, CA, or environment. Whether a certificate was issued via ACME, enrolled through SCEP, or provisioned via CMP, it appears in the same inventory with the same monitoring and alerting.
Policy enforcement at enrollment — Automation does not mean losing control. Evertrust enforces your organization's certificate policies at the point of issuance, ensuring that automated requests still comply with key algorithm, validity, and naming requirements.
Ready for shorter lifespans — With native ACME support and continuous automation workflows, Evertrust ensures your infrastructure is prepared for the shift to 90-day and 47-day certificate lifespans without increasing operational burden.
