What is ACME Renewal Information (ARI)?

ARI is an extension to the ACME protocol, published as RFC 9773 in June 2025, that allows certificate authorities to communicate optimal renewal timing to ACME clients. The CA provides a suggestedWindow with start and end timestamps for when a certificate should be renewed. During mass revocation events, the CA can set this window to the past, signaling clients to renew immediately. Renewals within the ARI window are exempt from rate limits.

Which ACME clients support ARI?

As of March 2026: Certbot supports ARI since version 4.1.0. Lego and the Ruby acme-client gem (used by Shopify) support ARI. Kubernetes cert-manager supports ARI since v1.15. acme.sh does not support ARI — feature request #4944 has been open since January 2024. Win-acme and ACMEz also have implementations.

Is ACME the only option for certificate automation?

No. ACME (RFC 8555) is the dominant open-standard protocol, but enterprise CLM platforms like DigiCert CertCentral, Sectigo Certificate Manager, Keyfactor Command, and Venafi TLS Protect offer API-driven automation with broader certificate type coverage (OV, EV, code signing, S/MIME). For publicly trusted DV certificates, ACME is the most widely supported and cost-effective automation method. For OV/EV certificates, you typically need the CA's proprietary API or a CLM platform.

How do I know if my automation is ready for 47-day certificates?

A certificate automation pipeline ready for 47-day lifetimes must satisfy four criteria: fully unattended renewal without human approval or intervention, automated domain validation (DNS-01 or HTTP-01 challenge completion without manual steps), automated deployment (certificate installation and service reload without SSH or manual file copies), and monitoring that detects and alerts on renewal failures before the certificate expires. If any of these require a human, you are not ready.

What is the difference between RFC 8555 and RFC 9773?

RFC 8555 defines the core ACME protocol: account registration, order creation, domain validation challenges, certificate issuance, and revocation. RFC 9773 is an extension that adds renewal information: it defines a renewalInfo endpoint that returns suggested renewal windows, and a replaces field in order requests that links a new certificate to its predecessor. RFC 9773 does not replace RFC 8555 — it extends it.

Certificate Automation Readiness: ACME, ARI, and the 47-Day Mandate

SC-081v3 makes automation binary: either renewals run unattended or services break at scale. This page maps ACME, ARI, client support, and a maturity model to the 47-day timeline.

Certificate Automation Readiness: ACME, ARI, and the 47-Day Mandate

TL;DR: For 47-day public TLS you need unattended renewal, automated DCV, automated deploy, and monitoring—plus ARI (RFC 9773) on the client for CA-coordinated timing and mass-revocation resilience.

Overview

The CA/B Forum SC-081v3 phasedown (200 → 100 → 47 days, with shrinking DCV reuse) turns “we renew mostly on time” into an outage factory. This guide aligns with renewal automation, lifecycle management, and the ACME standard.

Problem Statement

Manual DCV or deploy does not survive 8+ renewals per year per cert.
Static renewal thresholds miss CA-driven early renewal (revocation, incidents).
DNS API tokens expire; at 47-day cadence that becomes a top failure mode.
acme.sh without ARI cannot react cleanly to ARI “renew now” signals.
OV/EV still needs CA or CLM APIs—pure ACME may not cover the whole estate.

Failure scenario: Cron renews at “30 days left”; CA moves ARI window for incident response; rate limits block the batch; no replaces field—outages on high-traffic names.

ACME: foundation layer

RFC 8555 (ACME) covers account, order, challenges, issuance, revocation. If certbot/acme.sh/Lego already issue certs, the next gaps are DV method, deploy, monitoring, and ARI.

Domain validation: bottleneck

Method	Pros	Cons
HTTP-01	Simple on single origin	No wildcards; fragile behind CDNs/LB
DNS-01	Wildcards; decoupled from HTTP	Needs stable DNS API + credentials
TLS-ALPN-01	TLS-only paths	Less common operationally

For 47-day + short DCV reuse (see 47-day guide), DNS-01 is often the primary choice—provided API tokens are rotated and monitored.

Critical: DNS API credentials must outlive the renewal cadence; expired API keys are a common renewal failure.

ARI: RFC 9773

ARI adds a renewalInfo endpoint: the CA returns a suggestedWindow (start/end). Clients should renew inside the window and send replaces on the new order. Benefits:

Mass revocation: CA can set window in the past → clients renew immediately.
Rate limits: Let’s Encrypt exempts qualifying ARI renewals with replaces.
Load smoothing: Staggers renewals across time.

Example response shape (illustrative):

GET /renewal-info/... HTTP/1.1

HTTP/1.1 200 OK
Retry-After: 21600
Content-Type: application/json

{
  "suggestedWindow": {
    "start": "2026-04-15T00:00:00Z",
    "end": "2026-04-16T00:00:00Z"
  },
  "explanationURL": "https://letsencrypt.org/docs/ari"
}

Client support (check current versions in your environment)

Certbot: ARI from 4.1.0+
Lego: ARI supported
Ruby acme-client (e.g. Shopify): ARI supported
cert-manager: 1.15+ (enable feature gate / experimental options per release notes)
acme.sh: No ARI (as of common 2024–2026 tracking—verify issue tracker)
win-acme: ARI implementations exist

RFC 8555 vs RFC 9773: 9773 extends 8555—orders, challenges, and accounts stay the same; renewal timing and replaces are additive.

Automation maturity model

Level	Description	SC-081 survival
0 Manual	Portal + SSH/RDP install	Fails before 47-day phase
1 Semi-automated	ACME issues but manual DCV/deploy or weak monitoring	Fragile at 100-day
2 Fully automated	End-to-end unattended; static renew threshold	OK routine; weak on mass revocation
3 CA-coordinated	Level 2 + ARI + `replaces`	Target for 47-day operations

Readiness checklist

Infrastructure audit

Per public cert: FQDNs, CA, expiry, renewal path (manual / ACME / CLM), client and version, DNS provider + API auth, deploy mechanism (hooks, GitOps, cert-manager), monitoring owner.

ACME client upgrade path

Align versions with ARI requirements; plan off acme.sh if ARI is mandatory for your risk model.

DNS provider API

Prove TXT create/delete; credential expiry and ownership (not tied to one human’s account).

Deployment pipeline testing

Quarterly forced renewal: order → DCV → install → reload → monitor green.

Monitoring

External expiry checks; alert ~80% of lifetime (at 47 days ≈ ~37 days remaining ≈ ~10 days to react). Watch ACME logs for silent retries.

Enterprise CLM vs ACME-only

OV/EV, code signing, and S/MIME often need DigiCert, Sectigo, Keyfactor, Venafi, etc.—see vendor comparison. For DV at scale, ACME + ARI + DNS-01 is usually the cost-effective core.

47-day TLS certificates — SC-081v3 timeline and DCV
Renewal automation
Certificate lifecycle management
CA distrust migration playbook
ACME protocol
Certbot installation
Certbot renewal automation
DNS-01 challenge validation
Rate limiting overview
Certificate automation ROI

Certificate Automation Readiness: ACME, ARI, and the 47-Day Mandate

Certificate Automation Readiness: ACME, ARI, and the 47-Day Mandate

Overview

Problem Statement

ACME: foundation layer

Domain validation: bottleneck

ARI: RFC 9773

Client support (check current versions in your environment)

Automation maturity model

Readiness checklist

Infrastructure audit

ACME client upgrade path

DNS provider API

Deployment pipeline testing

Monitoring

Enterprise CLM vs ACME-only

Related documentation