It's an "X.509 certificate" rather than a "TLS certificate". As pointed out by sthen@, TLS isn't the only possible use.
Index: acme-client.1 =================================================================== RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v retrieving revision 1.24 diff -u -p -r1.24 acme-client.1 --- acme-client.1 13 Jun 2018 15:08:24 -0000 1.24 +++ acme-client.1 2 Aug 2018 04:41:05 -0000 @@ -56,7 +56,7 @@ The domain name. looks in its configuration for a .Ar domain section corresponding to the domain given as command line argument. -It then uses that configuration to retrieve a TLS certificate. +It then uses that configuration to retrieve an X.509 certificate. If the certificate already exists and is less than 30 days from expiry, .Nm will attempt to refresh the signature.
