Certctl
Self-hosted certificate lifecycle automation platform. Any CA, any server, zero human intervention. Full REST API, web dashboard, and agent-based deployment where private keys never leave your infrastructure. Includes CLI, MCP server for AI assistants, and compliance mapping for SOC 2, PCI-DSS, and NIST.
Install / Use
/learn @shankar0123/CertctlREADME
certctl — Self-Hosted Certificate Lifecycle Platform
TLS certificate lifespans are shrinking fast. The CA/Browser Forum passed Ballot SC-081v3 unanimously in April 2025, setting a phased reduction: 200 days by March 2026, 100 days by March 2027, and 47 days by March 2029. Organizations managing dozens or hundreds of certificates can no longer rely on spreadsheets, calendar reminders, or manual renewal workflows. The math doesn't work — at 47-day lifespans, a team managing 100 certificates is processing 7+ renewals per week, every week, forever.
certctl is a self-hosted platform that automates the entire certificate lifecycle — from issuance through renewal to deployment — with zero human intervention. It works with any certificate authority, deploys to any server, and keeps private keys on your infrastructure where they belong. It's free, self-hosted, and covers the same lifecycle that enterprise platforms charge $100K+/year for.
gantt
title TLS Certificate Maximum Lifespan — CA/Browser Forum Ballot SC-081v3
dateFormat YYYY-MM-DD
axisFormat
todayMarker off
section 2015
5 years (1825 days) :done, 2020-01-01, 1825d
section 2018
825 days :done, 2020-01-01, 825d
section 2020
398 days :active, 2020-01-01, 398d
section 2026
200 days :crit, 2020-01-01, 200d
section 2027
100 days :crit, 2020-01-01, 100d
section 2029
47 days :crit, 2020-01-01, 47d
Actively maintained — shipping weekly. Found something? Open a GitHub issue — issues get triaged same-day. CI runs the full test suite with race detection, static analysis, and vulnerability scanning on every commit.
Ready to try it? Jump to the Quick Start — you'll have a running dashboard in under 5 minutes.
Why certctl Exists
Certificate lifecycle tooling today falls into two camps: expensive enterprise platforms (Venafi, Keyfactor, Sectigo) that cost six figures and take months to deploy, or single-purpose tools (cert-manager, certbot) that handle one slice of the problem. If you run a mixed infrastructure — some NGINX, some Apache, a few HAProxy nodes, IIS on Windows, maybe an F5 — and you need to manage certificates from multiple CAs, there's nothing self-hosted that covers the full lifecycle without vendor lock-in.
certctl fills that gap. It's CA-agnostic — plug in any certificate authority: Let's Encrypt via ACME, Smallstep step-ca, HashiCorp Vault PKI, DigiCert CertCentral, your enterprise ADCS via sub-CA mode, or any custom CA through a shell script adapter. Run multiple issuers simultaneously for different certificate types.
It's target-agnostic. Agents deploy certificates to NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS (local PowerShell or remote WinRM), F5 BIG-IP (proxy agent), and any Linux/Unix server via SSH/SFTP — all using the same pluggable connector model. The control plane never initiates outbound connections — agents poll for work, which means certctl works behind firewalls, across network zones, and in air-gapped environments.
For a detailed comparison with other competitors and enterprise platforms, see Why certctl?
Who Is This For
Platform engineering and DevOps teams managing 10–500+ certificates across mixed infrastructure who need automated renewal, deployment, and a single dashboard for visibility. If you're currently running certbot cron jobs, manually renewing certs, or stitching together scripts — certctl replaces all of that.
Security and compliance teams who need an immutable audit trail, certificate ownership tracking, policy enforcement, and evidence for SOC 2, PCI-DSS 4.0, or NIST SP 800-57 audits.
Small teams without enterprise budgets who need the lifecycle automation that Venafi and Keyfactor provide but can't justify six-figure licensing for a 50-server environment.
What It Does
-
Certificates renew and deploy themselves. The scheduler monitors expiration, creates renewal jobs, issues certificates through your CA, and deploys them to target servers — all without human intervention. ACME ARI (RFC 9773) lets your CA tell certctl exactly when to renew. Ready for 45-day and 6-day certificate lifetimes (SC-081v3 and Let's Encrypt shortlived profiles).
-
You see everything in one place. The operational dashboard shows every certificate across every server: status, ownership, expiration timeline, deployment history with TLS verification, discovery triage, and real-time agent fleet health. Bulk operations (renew, revoke, reassign) work across selections.
-
Private keys never leave your servers. Agents generate ECDSA P-256 keys locally and submit only the CSR. The control plane never touches private keys. Post-deployment TLS verification confirms the right certificate is actually being served.
-
Discover what you don't know about. Agents scan filesystems for existing PEM/DER certificates. The network scanner probes TLS endpoints across CIDR ranges without requiring agents. Both feed into a triage workflow where you claim, dismiss, or import discovered certificates.
-
Everything is auditable. Immutable append-only audit trail records every lifecycle action, every API call, and every approval decision. Certificate digest emails deliver daily briefings. Prometheus metrics endpoint for Grafana dashboards.
-
Multiple interfaces for different workflows. REST API for automation, CLI for scripting, MCP server for AI assistants (Claude, Cursor, Windsurf), EST server (RFC 7030) for device enrollment, Helm chart for Kubernetes, and the web dashboard for day-to-day operations.
For the full capability breakdown — revocation infrastructure (CRL + OCSP), policy engine, certificate profiles, S/MIME support, approval workflows, and more — see the Feature Inventory.
Supported Integrations
Certificate Issuers
| Issuer | Status | Type |
|--------|--------|------|
| Local CA (self-signed + sub-CA) | Implemented | GenericCA |
| ACME v2 (Let's Encrypt, Sectigo) | Implemented (HTTP-01 + DNS-01 + DNS-PERSIST-01) | ACME |
| ACME EAB (ZeroSSL, Google Trust) | Implemented (auto-fetch EAB from ZeroSSL) | ACME |
| step-ca | Implemented | StepCA |
| OpenSSL / Custom CA | Implemented | OpenSSL |
| Vault PKI | Beta | VaultPKI |
| DigiCert CertCentral | Beta | DigiCert |
| Sectigo SCM | Beta | Sectigo |
| Google CAS | Beta | GoogleCAS |
| AWS ACM Private CA | Beta | AWSACMPCA |
Vault PKI, DigiCert, Sectigo, Google CAS, and AWS ACM PCA connectors are in beta. If you hit any bugs or unexpected behavior, please open a GitHub issue -- we're actively testing these and want to hear from real users.
Note: ADCS integration is handled via the Local CA's sub-CA mode — certctl operates as a subordinate CA with its signing certificate issued by ADCS. Any CA with a shell-accessible signing interface can be integrated today via the OpenSSL/Custom CA connector.
Deployment Targets
| Target | Status | Type |
|--------|--------|------|
| NGINX | Implemented | NGINX |
| Apache httpd | Implemented | Apache |
| HAProxy | Implemented | HAProxy |
| Traefik | Implemented | Traefik |
| Caddy | Implemented | Caddy |
| Envoy | Implemented | Envoy |
| Postfix | Implemented | Postfix |
| Dovecot | Implemented | Dovecot |
| Microsoft IIS | Implemented (local + WinRM) | IIS |
| F5 BIG-IP | Beta | F5 |
| SSH (Agentless) | Beta | SSH |
| Windows Cert Store | Implemented | WinCertStore |
| Java Keystore | Implemented | JavaKeystore |
| Kubernetes Secrets | Beta | KubernetesSecrets |
Notifiers
| Notifier | Status | Type |
|----------|--------|------|
| Email (SMTP) | Implemented | Email |
| Webhooks | Implemented | Webhook |
| Slack | Implemented | Slack |
| Microsoft Teams | Implemented | Teams |
| PagerDuty | Implemented | PagerDuty |
| OpsGenie | Implemented | OpsGenie |
All connectors are pluggable — build your own by implementing the connector interface.
