Product Documentation
NetScaler® Console service
View PDF

Automated certificate renewal by using the ACME protocol

September 17, 2025
Contributed by: 
C

NetScaler Console supports the Automated Certificate Management Environment (ACME), an open protocol designed to automate the renewal of SSL/TLS certificates.

Previously, the network administrators had to undergo the labor-intensive, multi-stage manual process of renewing the certificates. ACME support mitigates these challenges by providing a robust framework for automated certificate renewal to perform the following actions:

  • Request new certificates from trusted Certificate Authorities (CAs).
  • Validate domain ownership using automated methods (For example, DNS-01 challenge).
  • Renew certificates automatically before expiry.

ACME support in NetScaler Console

NetScaler Console uses the acme.sh client and supports the following Certificate Authorities:

  • Let’s Encrypt
  • DigiCert

The following steps explain how automated certificate renewal happens in NetScaler Console:

  1. When NetScaler Console initiates a certificate request for a domain using the acme.sh client, the client connects to the chosen Certificate Authority (for example, Let’s Encrypt or DigiCert).

  2. The CA issues a challenge to prove domain ownership, which in this case is a DNS-01 challenge.

  3. NetScaler Console using pre-configured credentials, automatically updates the DNS TXT record for the domain with the value provided by the CA.

  4. The CA validates the TXT record, confirming domain ownership.

  5. Upon successful validation, the CA issues the SSL/TLS certificate to NetScaler Console.

  6. NetScaler Console stores the certificate in the respective store (Certificate store/Zero-touch store).

  7. Based on the renewal window provided by you, NetScaler Console automatically repeats this process for renewal before the certificate’s expiration date.

ACME support high-level architecture

With ACME support in NetScaler Console, you can perform the following actions:

  • Automatically renew certificates before they expire
  • Switch from one CA to another during renewal
  • Generate or upload CSR and request for new certificate

The following are the key benefits:

  • Fully Automated Lifecycle with no manual intervention for certificate issuance or renewal.

  • Customizable Renewal Schedule that suits organizational needs (for example, set to renew 7 days before expiry).

  • Eliminates downtime due to expired certificates.

  • Reduced operational overhead by automating expiry tracking and renewals.

  • Improved security posture with always-valid, CA best-practice aligned certificates.

Configuration steps for ACME integration

Integrating ACME is a one-time process and includes the following steps:

  • Step 1: Configure Certificate Authority (CA).
  • Step 2: Select certificates for renewal.
  • Step 3: Add a DNS provider and map the respective domains.

Prerequisites

  • Ensure that you must have a valid account and license for Certificate Authority (CA)
  • Ensure that you have DNS provider access credentials.

Step 1: Configure Certificate Authority (CA)

Perform the following steps to register the Certificate Authority (CA) that is used for renewals:

  1. Navigate to Infrastructure > SSL Dashboard. If you are configuring ACME for the first time, then you see a banner with “Automated renewals for SSL certificates”. Click Get Started.

    or

    Navigate to Infrastructure > SSL Dashboard > Third-party Integration > CA Vendors and click Add.

  2. Enter a name and select the CA vendor. Currently, only Let’s Encrypt and DigiCert Inc are supported.

  3. Provide the other details such as email address, ACME Directory URL.

  4. Enter the number of days before which the NetScaler Console must automatically renew the certificates.

  5. Click Save and continue. NetScaler Console attempts to connect to the CA. If connectivity fails, review the details provided, correct the configuration details, and then retry.

    ACME support high-level architecture

Step 2: Select certificates for renewal

After CA details are added, NetScaler Console automatically scans all certificates (from both the certificate store and the Zero-touch store) and lists the certificates issued by the configured CA separately. Review the certificates listed.

  1. Select the certificates that you want to automatically renew. For example, If you configure Let’s Encrypt as the CA and have 2 certificates from Let’s Encrypt and 2 from another vendor, the dashboard displays: Let’s Encrypt: 2 and Other CA: 2.

  2. You can click Add to also add certificates issued by a different CA or Remove to remove certificates that you do not want to renew automatically. If you select certificates from a different vendor, you get a prompt to confirm the vendor change. Once you confirm, these certificates get renewed through the newly configured CA when their renewal window is reached.

    Note:

    Ensure that you do not have duplicate certificates in the Certificate store and Zero-touch certificate store. If there are duplicate certificates, then the renewal process happens twice for each store.

  3. Click Save and continue.

    Note:

    Certificates remain in their respective stores after renewal. For example, if a certificate is stored in the certificate store, its renewed version is also placed in the certificate store. If the certificate is stored in the Zero-touch store, its renewed version is also placed in the Zero-touch store.

    Certificate deployment behavior depends on the store type.

    • If the certificates are stored in the certificate store, they must be manually deployed to NetScaler.
    • If the certificates are stored in the Zero-touch store, the certificates are automatically deployed to NetScaler without admin intervention.

    We recommend you to use Zero-touch Certificate Management for seamless, fully automated deployment of renewed certificates. For more information, see Zero-touch certificate management.

Step 3: Add a DNS provider and map the domains

  1. Click Add on the DNS provider & domain mapping page.

  2. Select the DNS providers from the Select DNS provider drop-down list. The DNS providers supported by the acme.sh are listed in the drop-down list. If you do not see your DNS provider in the list that means it is not supported.

  3. Enter provider details such as Access key ID, Secret Access Key and click Save to save the configuration.

  4. Click Add Domain under Domain Mapping.

  5. Select the domains served by the configured DNS provider.

    Important:

    Ensure that each domain is linked to the correct DNS provider. NetScaler Console uses these mappings to perform the DNS-01 challenge automatically. During issuance or renewal, NetScaler Console creates the required TXT records in the mapped DNS provider. Once validation succeeds, the CA issues or renews the certificate. Certificates are renewed only when all associated domains are mapped correctly to their DNS providers.

    For example, if your organization uses Amazon Route53 as the DNS provider. First, add the Amazon Route53 credentials (Access Key ID and Secret Key) under DNS Provider Details. Then, map the domains managed by Amazon Route53 (for example: example.com, app.example.com). When a certificate for these domains is issued or renewed, NetScaler Console automatically creates the required TXT records in Amazon Route53. Once validation is successful, the CA issues or renews the certificates.

Once all three steps are completed, NetScaler Console configures the ACME CA server. The selected certificates are renewed for the mapped domains. NetScaler Console periodically checks certificate validity and renews them before they expire (based on configured window). With no manual intervention required, certificates always stay valid and up to date.

Issuance and renewals

Navigate to Infrastructure > SSL Dashboard > Issuance & Renewals to check all the renewal activities and the new requests raised from the certificate issuance.

Automatic renewals

The Automatic renewals tab lists the certificates that are enrolled for automatic renewal. When the configured renewal window is reached, NetScaler Console renews them automatically.

You can also trigger an on-demand renewal before the scheduled renewal window. For on-demand renewal, select the required certificate, and click Renew now.

If you do not want some certificates to be automatically renewed, you can move to manual renewals. To transfer the certificates from automatic renewal to manual renewal, select the required certificates and click Migrate to manual renewal.

ACME support high-level architecture

Manual renewals

The Manual renewals tab lists all the certificates that must be manually renewed. These certificates must be updated manually, either by renewing the certificate offline and uploading the new certificate to the appropriate store, or by using the Renew now option.

To renew a certificate, select a certificate and click Renew now. If the certificate is issued by a registered CA and its domain’s DNS provider is configured, you can renew it on demand by using ACME without moving it to automated renewals.

You can also move a certificate to automatic renewal. To transfer the certificates from manual renewal to automatic renewal, select the required certificates and click Migrate to automatic renewal.

Note:

You can renew or migrate only one certificate at a time.

Issuance and renewal logs

The Issuance and renewal logs tab provides the list of certificate requests using ACME, including issuances and renewals. For a failed event, you can click the info icon to view detailed error information.

Issue a certificate

ACME integration in NetScaler Console supports requesting new certificates directly by using the ACME protocol. You can either create a CSR within NetScaler Console or upload an existing CSR to request new certificates.

Navigate to Infrastructure > SSL dashboard > Issuances & Renewal and click Issue Certificate and select one of the following based on your scenario:

  • I do not have CSR: If you don’t already have a CSR, NetScaler Console allows you to generate one and issue a new certificate.
  • I have CSR: If you already have a CSR generated offline, you can upload it to issue a certificate.

Issue a certificate without CSR

Perform the following steps to generate a CSR and issue a new certificate:

  1. Navigate to Infrastructure > SSL dashboard > Issuances & Renewal and click Issue Certificate and select I do not have CSR.

    ACME support issue certificate

  2. On the Certificate key page, either upload an existing key by selecting I have a key or generate a new one by selecting I do not have a key.

    ACME certificate key

  3. Enter the required CSR information.

    ACME csr information

  4. Select the CA, DNS provider, and certificate deployment mode for the ACME request. Choose Cert Store for manual deployment, or Zero Touch Store for automatic deployment on NetScaler.

  5. Select Auto renew the certificate if you want the certificate to be automatically renewed in future.

    ACME csr information

  6. Click Save.

Issue a certificate with CSR

Perform the following steps if you already have a CSR generated offline and you want to upload it to issue a certificate:

  1. Navigate to Infrastructure > SSL dashboard > Issuances & Renewal and click Issue Certificate and select I have CSR.

    ACME support issue certificate

  2. Choose the CSR file and associated key file from your local system.

    ACME csr information

  3. Select the CA, DNS provider, and certificate deployment mode for the ACME request. Choose Cert Store for manual deployment, or Zero Touch Store for automatic deployment on NetScaler.

  4. Select Auto renew the certificate if you want the certificate to be automatically renewed in future.

    ACME csr information

  5. Click Save.

Third-party Integration

You can add and manage more than one CA vendor and DNS provider.

You can perform following actions from the Third Party Integration page:

  • Add or edit a CA vendor
  • Change the auto renewal settings
  • Add or edit the certificate from an existing configured CA
  • Add or edit a DNS provider
  • Change domain mappings

Add or edit a CA vendor

You can register more than one CA vendor to manage certificates issued by different vendors. You can also edit the existing CA vendor details.

  1. Navigate to SSL dashboard > Third party integration > ACME > CA Vendors. Click Add.
  2. To add a CA vendor, provide a name for the CA vendor and select the CA.
  3. To edit an existing CA vendor details, select the CA vendor and click Edit.
  4. Add or update the required details.
  5. Click Save.

Change the auto renewal settings

To change the auto renewal settings, perform the following steps:

  1. Navigate to SSL dashboard > Third party integration > ACME > CA Vendors.
  2. Select a CA vendor, and click Edit
  3. In the Configure certificate Authority vendor, change the number of days as per your requirement the Auto renew settings section.
  4. Click Save and continue.
  5. Complete the workflow.

Add or edit the certificate from an existing configured CA

To add or edit the certificate from an existing configured CA, perform the following steps

  1. Navigate to SSL dashboard > Third party integration > ACME > CA Vendors.
  2. Select a CA vendor, and click Edit.
  3. Navigate to Step 2 Select certificates, and add or remove the required certificates.
  4. Click Save and continue.
  5. Complete the workflow.

Note:

If the certificate has not been unmapped from the original CA, it does not appear in the selection list for the new CA.

Add or edit a DNS provider

To add a new DNS provider or edit existing domain mappings of existing DNS providers, perform the following steps:

  1. Navigate to SSL dashboard > Third party integration > ACME > DNS Providers.
  2. To add a DNS provider, click Add. Select the DNS provider, and click Save.
  3. To edit an existing DNS provider, select a DNS provider and click Edit.
  4. Add or update the required details.
  5. Click Save.

Change domain mappings

To edit the domain mappings of existing DNS providers, perform the following steps:

  1. Navigate to SSL dashboard > Third party integration > ACME > DNS Providers.
  2. Select a DNS provider and click Edit.
  3. Navigate to Domain mapping, and add or remove domains as required.
  4. Click Save.

Important:

If a domain is unmapped, its certificate renewal stops. Always remap domains to a valid DNS provider to ensure that renewals continue.

Limitations

  • Certificate renewal happens only for the DNS providers that are supported by acme.sh.
Automated certificate renewal by using the ACME protocol
September 17, 2025
Contributed by: 
C
September 17, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.