Automatic Certificate Management Environment (ACME) is a protocol and framework that's published by the IETF in RFC 8555 and which can be used for the signing and creation of certificates where domain validation is required.

The protocol uses JSON formatted messages over HTTPS with a CA to handle validation of domain ownership automatically by having the ACME client perform an action that can only be done with control of the domain name. For example, the CA could either request the provision of a DNS record, or could request a specific HTTP resource to be made available on a web server at the domain name.

After the CA validates that the entity requesting a certificate has ownership of the domain, the CA can sign the certificate that's sent to it by the ACME client. Typically, the client can automatically install the certificate at a location that's usable by services running on the system.

ACME lowers the cost and complexity associated with managing public key infrastructure. Sometimes, obtaining signed certificates for systems within domains can be free, depending on the selection of CA. For example, Let's Encrypt, the originator of the ACME protocol, provides a free and open CA service. Other commercial CAs are also starting to offer free ACME based certificates.

While the first version of the ACME protocol could be used to create only single domain certificates, ACME v2 can be used for the creation and signing of certificates with wildcard domains, such as *.example.com. Therefore, you can use a single certificate across all subdomains. Note that ACME only validates domains. If you need certificates that require more validations, you might need signed certificates from an established CA that offers services beyond ACME.

If you need to create and issue certificates across an infrastructure to use TLS/SSL protected services, consider using a CA that works with ACME and using an ACME client. ACME can automatically generate the key pairs and CSR, submit the CSR to a CA for validation, perform any validation steps for the CA, and obtain the signed certificate and store it somewhere that's accessible to services and applications. Many clients automatically set periodic cron tasks to check for certificate expiry and to automatically request a new certificate before the current certificate expires.