Skip to main content

ACME domain validation challenges

Use ACME challenges to validate domains as part of an automated certificate issuance and renewal workflow. An ACME client communicates with DigiCert to complete the challenge and confirm domain control automatically.

DigiCert supports two ACME challenges:

  • HTTP-01 challenge

  • DNS-01 challenge

Before you begin

Before using ACME challenges to validate domains, complete the following:

  • Configure ACME credentials in your CertCentral account. See Automate certificate lifecycle for full ACME setup and configuration guidance.

  • Install and configure a third-party ACME client on the server where you want to install the certificate. See Set up a third-party ACME client software.

  • For OV and EV certificates, prevalidate the organizations you want to use in your ACME requests. Any ACME OV/EV certificate request for a non-validated organization will fail.

Warning

This information applies to the CertCentral ACME service released on January 30, 2024. ACME credentials created before this date do not support DV certificates, dynamic domain control validation, or automatic certificate action selection. To request certificates using legacy credentials created before January 30, 2024, see Use legacy CertCentral ACME credentials.

Domain validation behavior

Domain validation behavior during ACME certificate requests depends on the certificate type and whether the domain is prevalidated:

  • DV certificates: Domain control validation is always performed dynamically through the ACME protocol. DV certificates do not support domain validation reuse. Each order requires domain validation.

  • OV and EV certificates (prevalidated domains): CertCentral performs domain validation out-of-band and independently of the ACME protocol. No ACME challenge is required for the domain.

  • OV and EV certificates (non-prevalidated domains): Domain validation is performed dynamically through the ACME protocol using the selected ACME challenge.

For details on domain prevalidation, see Add and validate a domain using DNS TXT record or Add and validate a domain using HTTP Practical Demonstration.

In this section: