Skip to main content
CertForge acts as an ACME client on your behalf. Configure an ACME provider once, then any Domain Trust Profile can request publicly-trusted certificates through CertForge’s approval and policy layer.

Add an ACME CA

  1. Go to Admin → Certificate Authorities → New
  2. Select type ACME
  3. Fill in:
  1. Save — CertForge registers an ACME account with the provider automatically.
Use Let’s Encrypt’s staging environment (https://acme-staging-v02.api.letsencrypt.org/directory) while testing to avoid rate limits. Switch to production before going live.

Configure DNS validation

ACME requires proving you control the domain. CertForge uses DNS-01 challenge solving, which works for wildcard certs and does not require an open HTTP port. DNS configuration is done entirely in the UI — there is no config.yaml DNS solver configuration.

Step 1: Create a DNS account

  1. Go to Admin → DNS Accounts → New
  2. Select your DNS provider (Cloudflare or RFC 2136/TSIG)
  3. Enter the required credentials (see DNS Validation → for field details)
  4. Save and verify the account shows a connected status
  1. Go to Admin → Domain Trust Profiles
  2. Edit the profile that uses your ACME CA
  3. Under DNS Settings, select the DNS account you created
  4. Save
CertForge will use that account’s credentials to place and remove the _acme-challenge TXT record automatically during issuance.

Create a Domain Trust Profile for ACME

  1. Go to Admin → Domain Trust Profiles → New
  2. Set:
    • Domains: *.corp.com (or your public domain)
    • CA: select the ACME CA you created
    • DNS account: select the DNS account configured above
    • Require approval: recommended for production domains
  3. Save

Test an issuance

Using certbot pointed at your CertForge ACME endpoint:
Or acme.sh:

Let’s Encrypt rate limits

CertForge tracks issuances and prevents requests that would exceed rate limits. Use the staging environment while testing.