Back to Blog
Guide9 min read2026-07-07

How Automatic SSL Certificates Work

Free, auto-renewing HTTPS is now table stakes — but how does it actually work? This guide explains the ACME protocol, domain validation, certificate renewal, and what platforms automate for you.

Ajay Kumar
Ajay Kumar
Founder & DevOps, PandaStack

# How Automatic SSL Certificates Work

A decade ago, getting HTTPS on a site meant paying a certificate authority, generating a CSR by hand, emailing documents, and manually installing a .crt file that expired in a year. Today you point a domain at a platform and HTTPS just appears, renewing itself forever. This guide explains the machinery behind that magic: the ACME protocol, domain validation, and automatic renewal.

The problem TLS solves

TLS (the successor to SSL — though everyone still says "SSL") does two things: it encrypts traffic so nobody can read it in transit, and it authenticates the server so you know you are talking to the real site, not an impostor. The authentication piece relies on a certificate signed by a Certificate Authority (CA) that browsers trust.

A certificate binds a domain name to a public key. Your browser trusts it because it chains up to a root CA in the browser's trust store.

Enter Let's Encrypt and ACME

The turning point was Let's Encrypt (2015), a free, automated, nonprofit CA. It introduced ACME (Automatic Certificate Management Environment), now standardized as RFC 8555 — a protocol for machines to request and renew certificates with zero human involvement.

The ACME flow, simplified:

  1. 1Your server (the ACME client) generates a key pair and registers an account with the CA.
  2. 2It requests a certificate for example.com.
  3. 3The CA issues a challenge to prove you control the domain.
  4. 4Your client satisfies the challenge.
  5. 5The CA validates it and issues the signed certificate.
  6. 6The client installs it and schedules renewal.

Domain validation challenges

The CA needs proof you actually control the domain. Two common challenge types:

HTTP-01

The CA gives your client a token. You must serve it at a well-known path:

http://example.com/.well-known/acme-challenge/<token>

The CA fetches that URL. If it sees the right value, you have proven control. Simple, but it only works for a single hostname and requires port 80 to be reachable.

DNS-01

The CA gives you a value to publish as a TXT record:

_acme-challenge.example.com. TXT "gfj9Xq...Rg85nM"

The CA queries DNS for that record. DNS-01 is more flexible — it supports wildcard certificates (*.example.com) and does not need an open port — but requires API access to your DNS provider.

A concrete example

If you ever manage certs yourself, the canonical client is Certbot:

# HTTP-01 challenge, nginx plugin handles install + renewal
sudo certbot --nginx -d example.com -d www.example.com

# Renewal is just:
sudo certbot renew

Most setups install a systemd timer or cron job so certbot renew runs twice daily, renewing anything within 30 days of expiry. The command is a no-op until renewal is actually due.

Why short lifetimes and auto-renewal matter

Let's Encrypt certificates are valid for 90 days, and the ecosystem is moving toward even shorter lifetimes. Short lifetimes limit the damage if a key is compromised, but they make manual renewal impractical — which is the entire point. Short-lived certificates *force* automation, and automation means renewals never get forgotten. The classic outage "the SSL cert expired and nobody noticed" simply stops happening.

What platforms automate for you

When a managed platform offers "automatic SSL," here is what it is doing on your behalf:

  • Running an ACME client against a CA (often Let's Encrypt or ZeroSSL).
  • Completing HTTP-01 or DNS-01 challenges automatically when you add a custom domain.
  • Provisioning the certificate, usually within seconds to minutes.
  • Renewing well before expiry, with no action from you.
  • Often handling HTTP→HTTPS redirects and modern TLS configuration (TLS 1.3, sane ciphers).

You should also see security niceties handled for you: HSTS headers, OCSP stapling, and certificate transparency logging.

Common gotchas

  • DNS not pointed yet. HTTP-01 fails if the domain does not resolve to the platform. Add the DNS record first.
  • CAA records can block issuance. A restrictive CAA record that only allows one CA will reject others.
  • Rate limits. Let's Encrypt limits certificates per domain per week — relevant if you script issuance in a loop.
  • Mixed content. Even with a valid cert, pages loading http:// assets will warn. Use protocol-relative or HTTPS URLs.

SSL on PandaStack

PandaStack provisions and renews TLS certificates automatically for every app and custom domain. You add a domain, point DNS, and HTTPS is live — issuance and renewal run behind the Cloudflare/Kong edge with no certbot timers for you to babysit. The expired-certificate outage is one fewer thing on your on-call runbook.

References

  • [RFC 8555: Automatic Certificate Management Environment (ACME)](https://datatracker.ietf.org/doc/html/rfc8555)
  • [Let's Encrypt: How it works](https://letsencrypt.org/how-it-works/)
  • [Certbot documentation](https://eff-certbot.readthedocs.io/)
  • [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/)

---

Automatic SSL turned certificate management from a recurring chore into something you never think about. PandaStack handles issuance and renewal for every domain out of the box — deploy your first app free at [dashboard.pandastack.io](https://dashboard.pandastack.io).

Ready to deploy?

Start free on PandaStack.

Start free on PandaStack

More in Guide

Browse all Guide articles →

See also