Skip to main content
ACME’s DNS-01 challenge requires placing a TXT record at _acme-challenge.yourdomain.com to prove domain ownership. CertForge handles this automatically using DNS accounts configured in the UI — no config.yaml changes are needed.

Why DNS-01?

CertForge uses DNS-01 exclusively. HTTP-01 is not supported.

Step 1: Create a DNS account

Go to Admin → DNS Accounts → New and select your provider.

Cloudflare

  1. In Cloudflare → Profile → API Tokens → Create Token
  2. Use the Edit zone DNS template
  3. Restrict the token to the zone(s) CertForge needs to manage
  4. Copy the token
In the DNS account form:

RFC 2136 / TSIG (bind, Windows DNS, Infoblox, etc.)

For any DNS server that supports RFC 2136 dynamic updates with TSIG authentication: Save the account. CertForge will show a connection status indicator once the account is saved. Each Domain Trust Profile that uses an ACME CA must reference a DNS account to use for challenge solving.
  1. Go to Admin → Domain Trust Profiles
  2. Edit the profile backed by an ACME CA
  3. Under DNS Settings, select the DNS account from the dropdown
  4. Save
When CertForge needs to validate a domain for that profile, it uses the linked account’s credentials to create and remove the _acme-challenge TXT record automatically.

Multiple DNS providers

Different DTPs can reference different DNS accounts. This allows you to use Cloudflare for one zone and RFC 2136 for another without any per-request configuration. Create one DNS account per provider or credential set, then link each account to the appropriate DTP.