ACME accounts
Configure registrations against the 9 supported public CAs that speak ACME. Most are open registration; a few require External Account Binding (EAB).
01Supported CAs
| CA | Cert types | EAB? | Notes |
|---|---|---|---|
| Let's Encrypt | DV | no | Free, 90-day validity, generous staging. |
| Google Trust Services | DV | yes | Free for GCP customers; EAB via Cloud Console. |
| ZeroSSL | DV | yes | Free 90-day; paid OV/EV via REST not ACME. |
| Sectigo | DV / OV / EV | yes | Enterprise contracts, multi-CA roots. |
| SSL.com | DV / OV / EV | yes | ACME directory per product line. |
| GoDaddy | DV | no | Reseller integration on the same ACME endpoint. |
| Actalis | DV / OV | yes | European CA; eIDAS QSeal options off-ACME. |
| GlobalSign | DV / OV / EV | yes | Atlas ACME; per-product directories. |
| DigiCert | DV / OV / EV | yes | CertCentral ACME endpoints per profile. |
02Creating an account
- Settings → ACME Accounts → New.
- Pick the provider. The directory URL prefills; you can override for staging/UAT endpoints.
- Email — used for expiry notices from the CA itself.
- Key type — ECDSA P-256 is the right default. Use RSA-3072 only if your CA does not support ECDSA on the chosen product.
- For EAB CAs, paste the
kidand HMAC key. See EAB-bound CAs for where to find them per provider. - Save. The server generates the account key, registers with the CA, and stores both the key and the registration URL.
03Staging vs production
Always create the staging account first. Issue a couple of test certs against it, prove the DNS-01 flow works, then create the production account.
The Let's Encrypt production limits are 50 certificates per registered domain per week and 5 duplicate certs per week. CertAutoPilot exposes both rate limits on the account detail page so you can see how close you are to the cap.
04Rotating the account key
ACME supports key rollover via the keyChange flow — the server can generate a new account key, run keyChange against the CA, and atomically swap without interrupting issuance. There is no in-UI rollover button at present; operators trigger this from the API or by re-running registration with a new key on the host. UI surface for this is on the roadmap.
05Deactivating an account
Deactivation is permanent at the CA — the account cannot issue further certificates. CertAutoPilot keeps the local record (with status deactivated) so historical certificates still resolve their issuer.
06API
POST /api/v1/projects/{project}/acme-accounts
GET /api/v1/projects/{project}/acme-accounts
POST /api/v1/projects/{project}/acme-accounts/{id}/rotate-key
POST /api/v1/projects/{project}/acme-accounts/{id}/deactivate