Sectigo ACME Subscription
- RFC 8555 ACME v2 protocol
- Automated renewal via your ACME client
- Annual subscription, per domain
- Wildcards on DNS-01 validation
- certbot, acme.sh, Caddy compatible
An ACME v2 subscription from Sectigo: your servers request, install and renew trusted SSL certificates automatically. One annual fee per domain, up to 255 SANs, wildcards included via DNS-01.
Flat annual pricing per domain: automation does the rest.
Pick a billing period
No products match your filter.
Prices without VAT; Latvian VAT is 21% where it applies. Prices follow the certificate authorities daily.
From 24 February 2026 the industry cuts the maximum life of a public SSL certificate from 397 to 199 days, under the CA/Browser Forum rules. It is a security win: short-lived certificates are much harder to abuse if a key ever leaks. Your multi-year price here does not change. We simply reissue the certificate for you at each interval, so you stay covered without lifting a finger.
After ordering you receive the directory URL and EAB credentials (kid and HMAC key) by email. One command connects certbot:
certbot certonly \
--server https://acme.sectigo.com/v2/OV \
--eab-kid <your-kid> --eab-hmac-key <your-hmac> \
-d example.com -d www.example.com
acme.sh, Caddy, Traefik and any RFC 8555 client work the same way: set the server URL and the EAB pair once, then renewals run on schedule.
The client renews well before expiry. No calendar reminders, no expired-certificate outages.
One subscription covers the domain, extra hostnames and wildcard entries as you grow.
External Account Binding ties issuance to your account, so only your servers can request certificates.
Certificates chain to Sectigo roots trusted by every mainstream browser and OS.
One domain per subscription. The directory URL and EAB kid/HMAC arrive by email.
Point certbot, acme.sh or Caddy at the Sectigo server with your EAB pair. Wildcards validate via DNS-01.
Issuance and renewal run automatically. Add SANs to the subscription whenever the setup grows.
Any RFC 8555 (ACME v2) client with External Account Binding support: certbot, acme.sh, Caddy, Traefik, cert-manager and win-acme all work.
Wildcards require the DNS-01 challenge: your client publishes a TXT record to prove domain control. Most clients automate this with DNS provider plugins.
External Account Binding links your ACME account to your paid subscription using a key ID and HMAC key we email you after the order. It stops third parties from issuing on your subscription.
The workflow is the same protocol, so this is a drop-in Let's Encrypt alternative. The Sectigo subscription adds a longer 1-year certificate lifetime, up to 255 SANs per certificate, OV-chain options and support from us when automation misbehaves.
The subscription is per domain. Extra hostnames within the domain are SANs; for a second domain, order a second subscription.
It costs 17.63 EUR a year per domain, one flat annual fee. The base subscription includes 1 SAN, and you can grow the same certificate up to 255 SANs with hostname or wildcard add-ons. Issuance and renewal run automatically at no extra per-issuance cost.
No. Your ACME client (certbot, acme.sh or Caddy) requests, installs and renews certificates on schedule. You configure the Sectigo directory URL and EAB credentials once; after that renewals need no human action.
ACME clients retry and renew well before the expiry date, so there is time to react. Certificates issued on the subscription are valid for 1 year, which leaves a wide buffer. If automation misbehaves, our support team helps you debug the setup.
Deploy in minutes or talk to an engineer about what fits your project.