hi @tbrowder
I did suggest something similar last year Comparison of Lets Encrypt Clients
An understanding of the crypto libraries, capabilities and supported challenges for each client would be great.
In terms of managing lots of certs this is something that a lot of clients can do some work on.
Some of my thoughts:
A) ACME Sharp has the concept of storage providers but it’s hard to implement
B) Have a look at Manage Engines Key Manager Plus. https://www.manageengine.com/key-manager/ Of the clients I have evaluated it seems to be one of the leaders in using a GUI and a database to store relevant information (e.g. certs issued etc). Supported in Linux and windows and is java based
C) Large Providers have coded their own solution with backend databases. A lot of them prefer clients that they can use to take instructions but as you have rightly suggested use wrapper scripts to do the issuing etc.
D) I am working on a proof of concept around powershell and this. Each major component is modular and can share here if you want
E) The other things I think MSPs or people dealing with large number of certs come across. Use of multiple keys (a key per client) to avoid rate limitations and make transfer of service possible (i.e. here is your key you can issue certs with a client of your choice). The ability to co-term certs - for example if you have 10 certs expiring in 20th june and 3 certs expiring on 16th make them all renewed on 15th so next time you have a single time to do the renewals. The ability to do multi challenge per domain. For example: give 3 domains use HTTP challenge for domain 1,2,3 and TLS for domain 4. Most clients stick to one challenge for all domains which I don’t believe gives the flexibility needed.
There are lots of fun challenges with Let’s Encrypt and ACME. The bigger the problem the more complex (not complicated) i believe the solutions need to be. The challenge with Complex solutions is you do need technical people to use them but MSPs and service providers tend to have those.
I believe as the protocol gains adoption there will need to be a wide range of clients (some that just do it all , some that integrate with particular software and some that are libraries that people can adapt)
Andrei