Automate Certificate Renewal with ZeroSSL – ZeroSSL

ZeroSSL provides two main integration options for SSL/TLS certificate management: ACME protocol and REST API. Both are powerful, but they serve different technical needs. This guide explains when to use each, with real-world examples.

🔍 What is ACME?

ACME (Automated Certificate Management Environment) is an industry-standard protocol for automating certificate issuance and renewal. It’s widely used by tools like acme.sh, Certbot, and win-acme.

✅ Example: Issue a Certificate with acme.sh

     
acme.sh --issue \
-d example.com \
-d www.example.com \
--server https://acme.zerossl.com/v2/DV90 \
--keylength ec-256 \
--dns \
--accountemail "your-email@example.com"

     
[Thu Nov 13 12:00:00 CET 2025] Registering account
[Thu Nov 13 12:00:01 CET 2025] Account registered successfully
[Thu Nov 13 12:00:02 CET 2025] Creating new order
[Thu Nov 13 12:00:03 CET 2025] Order created successfully
[Thu Nov 13 12:00:04 CET 2025] Adding DNS records for validation
[Thu Nov 13 12:00:10 CET 2025] Domain validated successfully
[Thu Nov 13 12:00:11 CET 2025] Certificate issued successfully
[Thu Nov 13 12:00:12 CET 2025] Your cert is in: /root/.acme.sh/example.com/example.com.cer
[Thu Nov 13 12:00:12 CET 2025] Your key is in: /root/.acme.sh/example.com/example.com.key

Tip: ACME is best for automation-first environments like Kubernetes, Docker, and CI/CD pipelines.

🔍 What is the ZeroSSL REST API?

The REST API provides direct programmatic access to ZeroSSL’s certificate lifecycle management. It’s designed for developers who need fine-grained control over certificate creation, validation, and revocation.

Full control over certificate lifecycle
Integration with custom applications or dashboards
Supports advanced workflows (bulk issuance, reporting)

✅ Example: Create a Certificate via REST API

     
curl -X POST "https://api.zerossl.com/certificates?access_key=YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
  "certificate_domains": ["example.com", "www.example.com"],
  "certificate_validity_days": 90,
  "certificate_csr": "-----BEGIN CERTIFICATE REQUEST-----\n...CSR CONTENT...\n-----END CERTIFICATE REQUEST-----",
  "strict_domains": true,
  "validation_method": "DNS_CNAME"
}'

     
    {
  "id": "123456789",
  "type": "certificate",
  "common_name": "example.com",
  "status": "pending_validation",
  "validation": {
    "dns_cname_validation": {
      "example.com": {
        "record_type": "CNAME",
        "record_name": "_acme-challenge.example.com",
        "record_value": "123456789abcdef.validation.zerossl.com"
      },
      "www.example.com": {
        "record_type": "CNAME",
        "record_name": "_acme-challenge.www.example.com",
        "record_value": "987654321fedcba.validation.zerossl.com"
      }
    }
  },
  "created": "2025-11-13T12:00:00Z",
  "expires": "2026-02-11T12:00:00Z"
}

🎯 What should I chose now?

✅ When to Use ACME

Fully automated environments (Kubernetes, Docker, CI/CD)
Standard ACME clients (acme.sh, win-acme, Certbot)
Wildcard certificates via DNS plugins
Minimal coding required

✅ When to Use REST API

Custom dashboards or SaaS integrations
Bulk issuance and revocation
Detailed reporting and analytics
Non-ACME environments

10 Example Use Cases

Fully Automated Renewals: ZeroSSL ACME protocol enables hands-free certificate renewal without manual API calls.
Using Existing ACME Tooling: Integrates seamlessly with Certbot, acme.sh, and other ACME clients for quick setup.
Dynamic Certificate Issuance: Ideal for apps needing on-demand certificates without complex REST API logic.
Lightweight Deployment: Minimal coding required—just configure ACME client with ZeroSSL credentials.
Standardized Protocol: Cross-platform compatibility reduces vendor lock-in and simplifies migration.

ACME: Fully Automated Renewals
Bulk Certificate Management: Issue and renew hundreds of certificates in one workflow—perfect for large-scale operations.
Advanced Reporting & Compliance: Provides detailed certificate metadata, expiration tracking, and audit-friendly reporting.
Enterprise Integrations: Fits into CI/CD pipelines, ERP systems, and custom dashboards for complex environments.
Fine-Grained Control: Explicit control over issuance, revocation, and domain validation for enterprise policies.
Hybrid Strategy: Combine REST API for bulk issuance with ACME for automated renewals using ZeroSSL.