We’re looking for a centralized solution to manage public TLS certificates across our organization. Key requirements:
Certificates should be issued from Let’s Encrypt (ACME).
Should support most DNS providers for DNS-01 challenges.
Needs to be self-hosted, free, and reliable (no SaaS).
Preferably with a GUI/dashboard for visibility and ease of management.
Intended for organization-wide use across multiple environments (servers, VMs, Kubernetes clusters, etc.).
We’ve tested Certimate, but found the documentation limited and the reliability questionable for production scale.
What open-source projects or self-hosted tools is recommend for this use case?
Also if they integrate well with multi-cloud setups (AWS, Azure, on-prem) and offer features like audit/logging or role-based access.
My company develops a suit of commercial products called Certify The Web, and we currently have a beta version of our Certify Management Hub product available for free evaluation.
It's one of the only commercially supported products of that type available (not counting the encumbent "enterprise pki" vendors, which tend not to be quite as focused on ACME). Licensing is not finalized but it's likely to be bundled in our Power Pro tier and higher, because it also services as a multi-instance administrative UI for our existing Certify Certificate Manager product (windows).
It is a self-hosted web UI and API and it can be installed on Linux or Windows (or various container environments), plus it has agents for linux, macOS and Windows depending on your requirements.
We have a couple of extra interesting features in development, particularly managed challenges (completing DNS challenges on behalf of clients) and managed ACME (proxying ACME orders and validation, for clients that don't support DNS challenges or where you don't want to store DNS credentials etc). You can ask specific questions by emailing support at certifytheweb.com
The overall goal of the product is to manage large number of certificates (either directly, or with visibility of renewals on individual hosts, even via other acme clients e.g. certbot/acme.sh etc) and it will take a few versions to get to where we ultimately want to be, but it's definitely working for some organizations like yours.
Regarding other open-source solutions, I've only seen certimate and certwarden. Certimate certainly has a very prolific developer, suggesting that they work on it as part of their job, so that's good, however I don't think there is dedicated support available and some aspects are chinese only. Certwarden is similar to that but simpler functionality and with fewer integrations. [Both of those are UI/service wrappers for lego, which is a mature ACME client and suite of DNS providers]
Thank you so much, @webprofusion.
Apologies for the delayed response — I was out of office and caught up with other priorities. I’ll definitely take a closer look at the product. My main requirement is integration with GoDaddy, AWS, Azure, and some on-prem Windows servers. I’m also looking for a way to monitor all certificate expirations with some level of automation, along with secure storage. Hopefully, this solution can address those needs.
Yes, it should broadly fit your requirements. With GoDaddy there are some limitations around their API (namely they have a minimum of 10 domains managed with them before their API works) and for that reason we can only provide limited help supporting them but we do have users using GoDaddy.
If you have specific questions you can let us know via support at certifytheweb.com