Product ACME Multi-CA Field notes Tokens

Your ACME order stalled at 2am. Which step?

May 20, 2026 About 8 min read

Renewal scripts are easy to write. The hard part is knowing what failed when a certificate is still pending at 02:00. Here is how we run ACME as an operational workflow, not a cron job with amnesia.

<5 min

Order to issued

DNS-01

Cloudflare + more

VALID

Live workflow state

14+

ACME issuers

Same UI as production

Pick your CA. Same workflow every time.

One ACME client abstraction covers public CAs, commercial OV/EV paths, and custom directories. Select an issuer to see what operators configure before the first order runs.

Issuer catalog

DNS providers (Cloudflare today, more on the way) plug in separately. Challenge type is per order: DNS-01, HTTP-01, or mixed across hostnames.

CertLocker connects four layers: ACME clients (which CA), DNS provider clients (who publishes challenges), workflows (live state machine), and certificates (inventory with parsed metadata). After issuance, the same certificate becomes a scoped certificate token that edge systems can request over standard ACME: HAProxy 3.3, win-acme on IIS, and any RFC 8555 client pointed at your CertLocker directory. The screenshots below are from our staging run on 20 May 2026.

See every order in one list

The ACME Workflows screen is your control plane. Mixed states are normal: one hostname on Cloudflare DNS-01, another on HTTP-01, another queued against a different issuer from the picker above.

ACME Workflows list with Complete, Pending, and Invalid rows — Operators see domain, state, status, and CA messages, not just a cron exit code.

Wire the CA and DNS

Create an ACME client from the issuer catalog, then attach a DNS provider client when you want automated DNS-01. Cloudflare is first-class in the UI; additional DNS backends follow the same client model.

Cloudflare DNS provider client configuration — **DNS:** token, zone, and account stored in-platform.

Same flow for every issuer

No per-CA modules. Sectigo DV/OV/EV, Let's Encrypt, Google Trust Services, and custom directories all use the same workflow engine. Our staging screenshots include a wildcard on Let's Encrypt and other hostnames on different challenge paths.

DNS-01 through issuance

Example from staging: *.certlocker.uk on Let's Encrypt staging with Cloudflare publishing the challenge. Apex, SAN, and wildcard orders all use the same timeline UI.

Challenges Verified with DNS-01 authorisation — Challenges verified. DNS record sent via Cloudflare.

Certificate Issued workflow state — Under five minutes from order pending (11:05) to certificate issued (11:09).

Open full-size screenshot

Land in inventory

Issued certs are not orphaned PEM files. They show up in inventory with expiry widgets and a detail drawer: issuer, SANs, serial, security rating.

Certificates inventory with active certificates

Certificate detail with Let's Encrypt staging issuer — Parsed metadata ties back to the ACME client profile for audit-friendly handover.

The certificate is the token

That is the delivery model we have been writing about since the HAProxy and IIS walkthroughs: the cert is not a file you email to a load balancer. It is a certificate token, type CERTIFICATE, scoped to the hostname or names you approved, with a token ID your automation presents to CertLocker's ACME gateway.

Operators run workflows in the UI (steps 1 to 4 above). Infrastructure pulls the result over ACME using the token. No platform-wide API keys on the edge host.

CertLocker Tokens list showing a CERTIFICATE token for a staging certificate — Staging example: `*.certlocker.uk` as a **CERTIFICATE** token. Copy the ID into HAProxy, win-acme, or another ACME client config.

Edge · Linux

HAProxy 3.3 native ACME

Point acme at CertLocker's directory, authenticate with the certificate token, and use reuse-key on so the gateway delivers the stored key material HAProxy expects.

Edge · Windows

win-acme on IIS

Create a token with protocol ACME, aim win-acme at https://trust.certlocker.io/rest/acme/directory, and let it install, bind, and schedule renewal like any other CA.

Directory URL for hosted trust: https://trust.certlocker.io/rest/acme/directory . On-prem installs use the same path on your CertLocker hostname. For chain packaging on reload, see CA bundles in HAProxy and IIS.

Why platform teams care

Renewal scripts with no UI: workflow timeline and status badges.
DNS API keys on laptops: DNS provider clients in-platform, group-scoped.
Did the cert actually issue? inventory plus issuer metadata.
PEM files on shares: certificate tokens and ACME pull on HAProxy, IIS, or your client of choice.
CA migration: new ACME client row; per-domain orders.

Engineering context: Cloudflare DNS provider, DNS client CRUD, ACME client private keys, and DAO schema bumps are on dev as of mid-May 2026. See Build Notes: May 2026.

Run ACME with operational visibility

Certificates, ACME workflows, DNS providers, scoped delivery, and audit in one platform.