Step 3: Request and Manage ACME Certificates

With your ACME client installed and configured, you can now use it to request, renew, and manage SSL/TLS certificates automatically through GeoCerts.

GeoCerts supports certificate automation for DigiCert and GeoTrust DV and OV certificates via third-party ACME clients that are configured with your ACME Directory URL credentials.

Request a Certificate

Once your client is ready, initiate a certificate request by specifying:

The domains you want covered
The ACME Directory URL
Your EAB Key ID and EAB HMAC Key

During the request process:

The ACME client generates a Certificate Signing Request (CSR).
The ACME client performs Domain Control Validation (DCV).
- DV certificates: DCV is performed dynamically each time.
- OV certificates: If the domain is already pre-validated with GeoCerts, DCV is skipped.

Tip: Pre-validate your domains for OV certificates under Certificates > Domains to avoid DCV challenges during certificate requests.

Choosing a DCV Method

Tip: For maximum flexibility and wildcard support, we recommend using DNS-01 validation whenever possible.

Domain Control Validation Methods

DigiCert’s ACME service supports two DCV methods:

DNS-01 Challenge — Create a TXT record in your domain’s DNS zone.
HTTP-01 Challenge — Place a validation file at a specific path on your web server (cannot be used for wildcard certificates)

Your ACME client will guide you based on the method you select.

Use the table below to help choose the appropriate Domain Control Validation (DCV) method for your ACME automation:

If you need…	Use this challenge type	Notes
A wildcard certificate (e.g., `*.example.com`)	DNS-01 Challenge	HTTP-01 cannot validate wildcard domains.
No changes to DNS settings	HTTP-01 Challenge	Requires access to host web server content under `/.well-known/acme-challenge/`.
Flexible automation across multiple domains	DNS-01 Challenge	Ideal for environments with centralized DNS control.
Fast and simple validation for a single domain	HTTP-01 Challenge	Useful if you already control the web server and can host files.
DigiCert ACME server compatibility	DNS-01 or HTTP-01	TLS-ALPN-01 is not supported.

Tip: DNS validation is required for wildcard domains (e.g., *.example.com).

Certificate Issuance and Installation

Once DCV is complete:

DigiCert issues the certificate immediately.
The ACME client downloads and installs the certificate based on your local configuration.
Certificates are typically valid for up to 397 days from the date of issuance.

Managing ACME Certificates in GeoCerts

After issuance, your ACME-issued certificates appear in your GeoCerts CertCommand account under Certificates > Orders.

From there, you can:

View certificate details
Revoke certificates
Reissue certificates* (not recommended)
Monitor expiration and renewal status

Danger! If you manually reissue an ACME-originated certificate directly from your GeoCerts CertCommand management console (outside of your ACME client), the certificate will no longer be considered an active ACME-managed order. Subsequent ACME client requests (e.g., from Certbot) will not recognize the reissued certificate — even if you specify ?action=reissue&orderId=xxxx in the ACME Directory URL.

Instead, when the ACME client wakes up and attempts to renew, DigiCert will treat the request as a completely new order. If you want to maintain ACME automation, all reissues must be initiated through your ACME client workflow, not manually from the account dashboard.

Renewing Certificates

Most ACME clients are configured to automatically renew certificates before they expire.

Renewal typically begins 30 days before expiration.
Renewals follow the same ACME workflow as the original request: CSR generation ➔ DCV check ➔ issuance.

Important: DV certificates always require a fresh DCV check at renewal. OV certificates may skip DCV if domain validation remains current.

Auto-detection Rules for Existing ACME Certificate Orders

Key Concept: ACME clients do not distinguish between renewing, reissuing, or enrolling new certificates. Every ACME request is simply a new certificate request from the client’s perspective. DigiCert determines whether to treat the request as a renewal, reissue, or new enrollment based on any existing certificate orders in your account and any automation action override parameters specified in the ACME URL.

To auto-detect an existing certificate order for a third-party ACME automation request:

The primary order must have been originally issued via ACME.
The product name, common name (CN), and subject alternative names (SANs) of the requested certificate must match the existing ACME-based order.
For wildcard orders:
- Requested domains can be sub-domains of an existing order.
- SANs can be added or removed.
For non-wildcard orders:
- The CN and SANs must exactly match the original order.

If there are multiple matches:

DigiCert selects the order with the longest validity and matching product type from the certificate profile.

If no matching order is found:

The ACME automation request is treated as a new, billable order (enrollment).

Tip: To force an ACME request to be treated as a new enrollment, append ?action=enroll to your ACME Directory URL.

ACME Automation Override Actions

By default, DigiCert enrolls a new certificate when there is no existing certificate order that matches the ACME automation request.

However, you can also use your ACME Directory URL to renew, or reissue existing certificates directly through your ACME client by modifying the ACME request URL with query parameters.

Important: ACME automation actions (renew, reissue) can only be used with certificate orders that were originally created through ACME. Certificates issued manually (outside of ACME) cannot be managed through ACME requests. To automate a non-ACME certificate, you must create a new order via ACME.

Forcing New Enrollment with the `enroll` Parameter

If you want to override auto-detection logic and always create a new certificate order, even if an identical certificate already exists in your account, you can use the enroll automation action.

To force a new enrollment:

Add the following query parameter to your ACME Directory URL:
```
?action=enroll
```

Example ACME Directory URL:

https://acme.geocerts.com/directory?action=enroll

When the enroll action is specified:

DigiCert bypasses any attempt to match the request to an existing certificate order.
A completely new, billable certificate order is created based on your request.

Tip: Use action=enroll when you want to create a fresh certificate order — for example, when moving a certificate to a new automation workflow or segregating certificates by project or region. Use enroll when you intentionally want a brand-new certificate.

Renew or Reissue an Existing ACME Certificate

You have two options to renew or reissue using ACME:

Specify the action explicitly:
- Add action=renew or action=reissue and the orderId to the ACME Directory URL.
Example for renewal:
```
https://acme.geocerts.com/directory?action=renew&orderId=555123456
```
Let DigiCert auto-detect the action:
- Omit the action and orderId parameters entirely.
- DigiCert will automatically determine the correct action (renew, reissue, or enroll) based on the domains, organization, and certificate matching your request.

Tip: Auto-detection is the simplest workflow for most environments. However, explicitly setting action and orderId gives you more control over the certificate lifecycle.

Using ACME automation actions allows you to manage existing certificate orders easily and integrate renewals and reissues into your regular automation flows.

Troubleshooting Common Issues

Domain validation failures — Ensure your DNS TXT records or HTTP challenges are correctly published and accessible.
EAB credential errors — Verify that the EAB Key ID and HMAC Key are correctly configured in your ACME client.
Organization validation problems (OV only) — Make sure your organization and domains are fully validated in GeoCerts before requesting OV certificates.

ACME Client Examples and Tutorials

Looking for practical examples of how to use your ACME Directory URL with popular ACME clients? Start with these step-by-step tutorials:

Certbot: Install and Auto-Renew Certificates on NGINX using HTTP-01

Coming soon:

win-acme: Install certificate on IIS using HTTP-01
Certbot: DNS-01 validation with wildcard support
acme.sh: Automation with DNS API

Tip: These examples assume you’ve already created an ACME Directory URL and obtained your EAB credentials in Step 1.

← Back to Workflow Overview