> ## Documentation Index
> Fetch the complete documentation index at: https://docs.certgovernance.app/llms.txt
> Use this file to discover all available pages before exploring further.

# ACME Setup

> Connect CertForge to Let's Encrypt or ZeroSSL for publicly-trusted certificates.

CertForge acts as an ACME client on your behalf. Configure an ACME provider once, then any Domain Trust Profile can request publicly-trusted certificates through CertForge's approval and policy layer.

## Add an ACME CA

1. Go to **Admin → Certificate Authorities → New**
2. Select type **ACME**
3. Fill in:

| Field         | Let's Encrypt                                    | ZeroSSL                            |
| ------------- | ------------------------------------------------ | ---------------------------------- |
| Name          | `Let's Encrypt`                                  | `ZeroSSL`                          |
| Directory URL | `https://acme-v02.api.letsencrypt.org/directory` | `https://acme.zerossl.com/v2/DV90` |
| Contact email | Your ops email                                   | Your ops email                     |

4. Save — CertForge registers an ACME account with the provider automatically.

<Note>
  Use Let's Encrypt's staging environment (`https://acme-staging-v02.api.letsencrypt.org/directory`) while testing to avoid rate limits. Switch to production before going live.
</Note>

## Configure DNS validation

ACME requires proving you control the domain. CertForge uses **DNS-01 challenge solving**, which works for wildcard certs and does not require an open HTTP port. DNS configuration is done entirely in the UI — there is no `config.yaml` DNS solver configuration.

### Step 1: Create a DNS account

1. Go to **Admin → DNS Accounts → New**
2. Select your DNS provider (Cloudflare or RFC 2136/TSIG)
3. Enter the required credentials (see [DNS Validation →](/guides/dns-validation) for field details)
4. Save and verify the account shows a connected status

### Step 2: Link the DNS account to a DTP

1. Go to **Admin → Domain Trust Profiles**
2. Edit the profile that uses your ACME CA
3. Under **DNS Settings**, select the DNS account you created
4. Save

CertForge will use that account's credentials to place and remove the `_acme-challenge` TXT record automatically during issuance.

## Create a Domain Trust Profile for ACME

1. Go to **Admin → Domain Trust Profiles → New**
2. Set:
   * Domains: `*.corp.com` (or your public domain)
   * CA: select the ACME CA you created
   * DNS account: select the DNS account configured above
   * Require approval: recommended for production domains
3. Save

## Test an issuance

Using certbot pointed at your CertForge ACME endpoint:

```bash theme={null}
certbot certonly \
  --server https://certforge.corp.com/acme/directory \
  --manual \
  --preferred-challenges dns \
  -d test.corp.com
```

Or acme.sh:

```bash theme={null}
acme.sh --issue \
  --server https://certforge.corp.com/acme/directory \
  -d test.corp.com \
  --dns dns_cf
```

## Let's Encrypt rate limits

| Limit                                       | Value |
| ------------------------------------------- | ----- |
| Certificates per registered domain per week | 50    |
| Duplicate certificates per week             | 5     |
| New orders per account per 3 hours          | 300   |

CertForge tracks issuances and prevents requests that would exceed rate limits. Use the staging environment while testing.
