As part of a new development, Certify The Web (https://certifytheweb.com) is expanding to implement a certificate server and API (naming as yet undecided). This will allow client apps, services and scripts (with an API token) to fetch their latest cert from the certificate server (which in turn does all the ACME process, requests, renewals and stores/accesses secrets like DNS credentials etc).
The service is aimed at devops and larger organisations with complicated certificate deployment requirements. The idea is not particularly new or original, but the implementation is.
This enables (amongst other things):
- Scripted fetch of the latest cert (any format) by a system that is otherwise not involved in ACME/Let’s Encrypt communication. e.g. Cloud apps, load balanced web servers, appliances. The server can also push deployment using various built-in deployment tasks (network, ssh/sftp, key vaults).
- Middleware (such as asp.net core kestrel https config) can fetch the latest cert and also answer http challenges (if required) by asking the server what the current challenge answer should be.
- Servers can defer to a primary so that they control local deployments like IIS etc but cert renewals are managed by the primary (and access is controlled there).
- The server can be optionally hosted on Linux (docker), Certify has historically been windows only.
The existing Certify The Web UI will be able to connect to (and manage) different servers from your desktop, in the same manner as it does now (on a windows server desktop).
So, if you think you have a need for such a thing, what features do you need, why and how do you imagine using it?