CertMate - SSL Certificate Management System

<div align="center"> <img src="certmate_logo.png" alt="CertMate Logo" width="180">

CertMate is an SSL certificate management system designed for modern infrastructure. Built with multi-DNS provider support, Docker containerization, and a comprehensive REST API, it handles certificates across multiple datacenters and cloud environments.

Quick Start • Documentation • Installation • DNS Providers • CA Providers • Storage Backends • Backup & Recovery • API Reference

</div>

---

Why CertMate?

CertMate solves the complexity of SSL certificate management in modern distributed architectures. Whether you're running a single application or managing certificates across multiple datacenters, CertMate provides:

• Zero-Downtime Automation - Certificates renew automatically 30 days before expiry, with deploy hooks to reload services
• Multi-Cloud Support - Works with 22 DNS providers (Cloudflare, AWS, Azure, GCP, Hetzner, Porkbun, GoDaddy, and more)
• Enterprise-Ready - RBAC, scoped API keys, Docker, Kubernetes, REST API, and monitoring built-in
• Simple Integration - One-URL certificate downloads for easy automation
• Security-First - Role-based access control, scoped API keys, audit logging, HMAC-signed webhooks
• Unified Backup System - Atomic backups of settings and certificates ensuring data consistency
• Real-Time Dashboard - SSE-powered live updates, command palette, keyboard shortcuts, dark mode

Key Features

Certificate Management

• Multiple CA Providers - Support for Let's Encrypt, DigiCert ACME, and Private CAs
• Let's Encrypt Integration - Free, automated SSL certificates with staging/production environments
• DigiCert ACME Support - Enterprise-grade certificates with External Account Binding (EAB)
• Private CA Support - Internal/corporate CAs with custom trust bundles and ACME compatibility
• Wildcard Support - Single certificate for *.example.com and example.com
• Multi-Domain Certificates - SAN certificates for multiple domains
• Domain Alias Support - Use alternative domains for DNS validation (e.g., centralized validation domain)
• Automatic Renewal - Smart renewal 30 days before expiry
• Certificate Validation - Real-time SSL certificate status checking
• Per-Certificate CA Selection - Choose different CAs for different certificates

Multi-DNS Provider Support

• Multi-Account Support - Manage multiple accounts per provider for enterprise environments
• Cloudflare - Global CDN with edge locations worldwide (Multi-Account)
• AWS Route53 - Amazon's scalable DNS service (Multi-Account)
• Azure DNS - Microsoft's cloud DNS solution (Multi-Account)
• Google Cloud DNS - Google's high-performance DNS (Multi-Account)
• DigitalOcean - Cloud infrastructure DNS (Multi-Account)
• PowerDNS - Open-source DNS server with REST API (Multi-Account)

Enterprise Features

• Role-Based Access Control - Three-tier RBAC with viewer, operator, and admin roles
• Scoped API Keys - Create, revoke, and manage API keys with per-key role and optional expiration
• Multi-Account Management - Support multiple accounts per DNS provider for enterprise workflows
• REST API - Complete programmatic control with Swagger/OpenAPI docs
• Web Dashboard - Modern, responsive UI built with Tailwind CSS and Alpine.js
• Setup Wizard - Guided first-run configuration for DNS, CA, and authentication
• Real-Time Updates - Server-Sent Events (SSE) push live status to the dashboard
• Docker Ready - Full containerization with Docker Compose
• Kubernetes Compatible - Deploy in any Kubernetes cluster
• Monitoring Integration - Health checks, Prometheus metrics, and structured JSON logging

Backup & Recovery

• Unified Backups - Atomic snapshots of both settings and certificates ensuring data consistency
• Automatic Backups - Settings and certificates backed up automatically on changes
• Manual Backup Creation - On-demand backup creation via web UI or API
• Comprehensive Coverage - Backs up DNS configurations, certificates, and application settings
• Retention Management - Configurable retention policies with automatic cleanup
• Easy Restore - Simple restore process from any backup point with atomic consistency
• Download Support - Export backups for external storage and disaster recovery

Certificate Storage Backends

• Local Filesystem - Default secure local storage with proper file permissions (600/700)
• Azure Key Vault - Enterprise-grade secret management with Azure integration and HSM protection
• AWS Secrets Manager - Scalable secret storage with AWS ecosystem integration and cross-region replication
• HashiCorp Vault - Industry-standard secret management with versioning, audit logging, and fine-grained policies
• Infisical - Modern open-source secret management with team collaboration and end-to-end encryption
• Pluggable Architecture - Easy to extend with additional storage backends
• Migration Support - Seamless migration between storage backends without downtime
• Backward Compatibility - Existing installations continue working without changes

Notifications & Automation

• Multi-Channel Notifications - Email (SMTP), Slack, Discord, and generic webhooks
• Webhook HMAC Signatures - SHA-256 signed payloads for secure webhook verification
• Deploy Hooks - Post-issuance shell commands to reload Nginx/Apache or run custom scripts
• Weekly Digest - Scheduled email summary of certificate status and upcoming renewals
• SSE Real-Time Events - Live push updates for certificate operations and deploy hook results

Security & Compliance

• Role-Based Access Control - Viewer, operator, and admin roles with hierarchical permissions
• Scoped API Keys - Create keys with specific roles and optional expiration dates
• Bearer Token Authentication - Secure API access control
• File Permissions - Proper certificate file security (600/700)
• Audit Logging - Complete certificate lifecycle tracking with timeline view
• Environment Variables - Secure credential management
• Rate Limit Handling - Let's Encrypt rate limit awareness

User Interface

• Command Palette - Cmd+K / Ctrl+K quick search and navigation
• Keyboard Shortcuts - Power-user shortcuts for navigation and common actions
• Dark Mode - System-aware dark/light theme toggle
• Mobile-Friendly - Responsive layout with bottom tab bar on small screens
• Activity Timeline - Chronological view of all certificate and system events

Developer Experience

• One-URL Downloads - Simple certificate retrieval for automation (/{domain}/tls)
• Individual Component Downloads - Fetch cert, key, chain, or fullchain separately
• Multiple Output Formats - PEM, ZIP, individual files
• SDK Examples - Python, Bash, Ansible, Terraform examples
• Webhook Support - Certificate lifecycle notifications with HMAC verification
• Deploy Hook API - Configure and test post-issuance hooks via REST API
• Backup API - Programmatic backup creation and restoration
• Swagger & ReDoc - Interactive API documentation at /docs/ and /redoc/

Supported DNS Providers

CertMate supports 22 DNS providers through Let's Encrypt DNS-01 challenge via individual certbot plugins that provide reliable, well-tested DNS challenge support. Multi-account support is available for major providers, enabling enterprise-grade deployments with separate accounts for production, staging, and disaster recovery.

| Provider | Credentials Required | Multi-Account | Use Case | Status | | ---------------------- | ----------------------------- | ------------- | ------------------------------- | ---------- | | Cloudflare | API Token | Yes | Global CDN, Free tier available | Stable | | AWS Route53 | Access Key, Secret Key | Yes | AWS infrastructure, Enterprise | Stable | | **Azu