Dear all,
can someone point us to documentation or share some thoughts. We're a small shop running quite a few Windows and Linux boxes which we'd like to reject from commercial CAs and going over to LE (have already done so on a few units). We understand that there are various options of central deployment and - most importantly - renewal How can we achieve centralized renewal with a minimum of manual intervention ? We have our DNS out there so we may challenge against it as well as we might expose ONE dedicated host that runs the renewals for the other boxes.
TIA,
Dan
2 Likes
Hi Dan,
Welcome to the community. I work on a product called Certify The Web which has a solution in that area (Certify Management Hub)
There are also quite a few other tools I've seen, and more every day which might be similarly useful depending on your requirements. Certwarden (although I think that doesn't allow commercial use, I might be wrong), Certkit.io, certimate etc all have different ways of doing things but all may be worth taking a look at.
You don't actually have to expose any hosts to the public internet if you are using DNS challenges.
[Fun aside: I saw a large scale cert mgmt tool promoted the other day elsewhere that had every feature you could think of. The guy wrote it in 4 days using AI. Amazing stuff, incredibly detailed. Imagine the egg on my face having spent the last 10yrs building the same thing!]
6 Likes
Hey Dan,
Christopher and I had the same idea lol. I work on CertKit.io, and this is exactly the sort of problem we wanted to solve.
CertKit is a centralized ACME client. We handle the certificate renewal dance for you, and use lightweight agents that pull fresh certificates when they get renewed. Agents run on Windows, Linux, and can push into appliances. Once you set it up, there is zero manual intervention.
You don't need to do DNS either. We use a DNS delegration approach, so you just create a one-time CNAME record that points to us when you are setting up the certificate. We don't need any API access and you don't have to make any changes.
Here's some more details about our approach.
Later this year, there are also plans to introduce DNS-PERSIST-01 validation mechanism. If you want to build things yourself, that will make the validation steps a bit easier. I haven't heard a date on that yet though, since there are some amendments still working through standards.
Good luck!
4 Likes