But, instead of signing your certificates being signed by a trusted CA, it creates a self-signed certificate. This can be used with DANE to secure Handshake websites.
# Install certbot (or any client) normally: https://certbot.eff.org/
# Get a certificate and install it like:
sudo certbot --nginx -d your_tld.or_sld \
--server https://acme.htools.work/directory --reuse-key
# Use a valid email above to receive the final step email (adding a DNS record)
Why does this even exist?
Because you can use any ACME client (like certbot) and take advantage of existing plugins for all kinds of web servers. Also, there's no need to bother with OpenSSL and TLSA.
What if the CA is compromised?
Nothing happens. A new CA key is generated for every issued certificate and then destroyed immediately. And with DANE, it really wouldn't matter anyway.
I don't want emails.
Emails are only sent when certificates are issued. If you already know what to do and really don't want them, then add a +noemail to the end of your email address like: email@example.com.