CertMate
Automate SSL certificate lifecycle across any CA, 24+ DNS providers, and every major secret store — with a REST API, web dashboard, and built-in MCP server for AI-driven ops.
CertMate is an open-source SSL certificate management system built for modern distributed infrastructure. It automates the full certificate lifecycle — issuance, renewal, deployment, and revocation — across more than two dozen DNS providers and seven CA backends, from Let’s Encrypt and ZeroSSL to private ACME endpoints using step-ca. All operations are exposed through a REST API with interactive Swagger docs, complemented by a real-time web dashboard built with Tailwind CSS and Alpine.js.
The system is containerized for Docker and Kubernetes and ships with a dependency-injection application container that wires together background scheduling, pluggable certificate storage (local filesystem, HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Infisical, and S3-compatible object storage), HMAC-signed webhooks, and multi-channel notifications. Role-based access control with three permission tiers, scoped API keys, OIDC/SSO integration, and tamper-evident audit log chaining make it credible for compliance-sensitive environments.
What has historically set CertMate apart from simpler certbot wrappers is its breadth of integrations alongside genuine depth: multi-account support per DNS provider for prod/staging separation, DNS alias delegation via CNAME for air-gapped DNS zones, a zombie certificate scanner to clean orphaned certs from the filesystem, a built-in OCSP responder and CRL distribution point for private PKI, and a Model Context Protocol (MCP) server that lets AI assistants manage certificates directly through the REST API.
Active development is reflected in a release cadence exceeding 100 releases and averaging over 100 commits per month. The v2.x series introduced async certificate issuance, S3-sovereign storage, OIDC federation, NIS2 compliance tooling via a companion project, and a weekly digest email for certificate health monitoring. The open-source MIT core coexists with a commercial CertMate-ng tier (BSL 1.1) for multi-tenant and white-label deployments.
What You Get
- Multi-CA Provider Support - Issue certificates from Let’s Encrypt, ZeroSSL, Google Trust Services, Actalis (free 90-day EU DV certs), DigiCert ACME with EAB, SSL.com, or any private CA compatible with the ACME protocol — switchable per certificate.
- 24+ DNS Provider Integrations - Automate DNS-01 challenges via certbot plugins for Cloudflare, AWS Route53, Azure DNS, Google Cloud DNS, DigitalOcean, Hetzner, GoDaddy, PowerDNS, Akamai Edge DNS, OVH, Linode, Gandi, NS1, DNS Made Easy, Vultr, Porkbun, ACME-DNS, and more.
- Multi-Account DNS Management - Configure multiple accounts per provider (e.g. separate Cloudflare tokens for production and staging) and use DNS alias via CNAME delegation to route ACME challenges through an alternative domain without exposing primary DNS credentials.
- Pluggable Certificate Storage Backends - Store private keys and certificates on local filesystem (600/700 permissions), HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Infisical, or any S3-compatible endpoint (Hetzner, Contabo, Wasabi, MinIO, OVHcloud, Scaleway) — migrate between backends without downtime.
- REST API with Swagger/OpenAPI Docs - Full programmatic control at every layer: certificate CRUD, DNS provider configuration, backup management, API key lifecycle, RBAC, deploy hook testing, and SSE event streaming — documented interactively at /docs/ and /redoc/.
- Role-Based Access Control & OIDC/SSO - Three-tier RBAC (viewer, operator, admin) with scoped API keys and optional expiration. OIDC/SSO integration lets users authenticate via any standards-compliant identity provider, with the OIDC settings block isolated behind a dedicated, audited API endpoint.
- Automatic Renewal with Deploy Hooks - Certificates renew 30 days before expiry; post-issuance shell hooks reload Nginx, Apache, or any service. Webhook notifications with SHA-256 HMAC signing deliver events to Slack, Discord, Telegram, ntfy, Gotify, or custom endpoints.
- Real-Time Dashboard & Command Palette - SSE-powered live certificate status, a Cmd+K/Ctrl+K command palette for quick navigation, keyboard shortcuts, dark mode, mobile-responsive layout, and an activity timeline for all certificate and system events.
- Tamper-Evident Audit Log Chain - Every certificate lifecycle event is appended to a SHA-256 hash chain (JSONL) that makes deletion, modification, or reordering detectable without an external anchoring service — suitable for NIS2 and internal compliance evidence.
- Private PKI with OCSP & CRL - Run your own CA with built-in OCSP responder and CRL distribution point. Zombie certificate scanner identifies and cleans orphaned certs on the filesystem that are no longer tracked by Certbot.
- MCP Server for AI Assistants - A built-in Node.js Model Context Protocol server maps 1:1 to the REST API, letting AI agents list, create, renew, and diagnose certificates through structured tool calls with audited session identity.
- Unified Backup & Weekly Digest - Atomic snapshots of all certificates and settings with configurable retention and API/UI restore. Weekly email digest summarizes certificate health and upcoming renewals across the entire fleet.
Common Use Cases
- Multi-cloud certificate automation - A platform team configures separate Cloudflare and Route53 accounts for production and staging, using CertMate’s per-provider multi-account support to issue wildcard certificates automatically and reload their load balancers via deploy hooks, achieving zero-downtime renewals across three cloud environments.
- Private PKI for microservices - An enterprise security team deploys CertMate with a private step-ca endpoint to issue mTLS client and server certificates for internal APIs, using the built-in OCSP responder, CRL distribution, and HashiCorp Vault storage to meet their internal PKI policy without relying on public CAs.
- Compliance-grade certificate tracking - A fintech company uses CertMate’s tamper-evident audit chain and RBAC to produce evidence for NIS2 audits: operators can issue and renew but cannot alter audit records, and the weekly digest gives security teams visibility into expiring certificates before SLA breaches occur.
- AI-driven certificate operations - An SRE team connects CertMate’s MCP server to their internal AI assistant, allowing the agent to list certificates, detect ones expiring within 14 days, trigger renewals, and verify deployment via the API — all with audited session identity and RBAC enforcement.
Under The Hood
Architecture CertMate is structured as a modular Flask application assembled through a factory function and a dependency-injection container (AppContainer) that instantiates and wires together every service at startup. The three-layer module hierarchy — core (domain services), api (Flask-RESTX namespaces and resources), and web (Jinja2/Alpine.js routes) — enforces a clean separation where HTTP handlers delegate immediately to service objects, and service objects never import from the HTTP layer. Background renewal scheduling is handled by APScheduler with a SQLAlchemy job store, pushed into the same container so jobs can reference live manager instances without globals. An EventBus threads real-time SSE events through the architecture, and a request watchdog logs slow responses for observability. The result is a codebase that can swap storage backends, DNS strategies, or notification channels by reconfiguring the container rather than modifying control flow.
Tech Stack The backend runs Python 3.9+ on Flask 3.x with Flask-RESTX generating Swagger/OpenAPI documentation automatically from resource decorators. Production serving uses Gunicorn behind optional Nginx, with tini as the container init for correct signal handling in Docker. DNS provider integrations are entirely plugin-based through the official certbot-dns-* family, with a Strategy Pattern abstraction (DNSProviderStrategy) that normalises credential file creation and propagation-seconds handling across all providers. The frontend is rendered with Jinja2 templates enhanced by Alpine.js for reactive behaviour and Tailwind CSS (npm build pipeline) for styling. Certificate storage is abstracted via an ABC hierarchy with retry-on-transient-error wrappers supporting seven backends including S3-compatible endpoints. The MCP server is a separate Node.js process using the official @modelcontextprotocol/sdk that communicates with the REST API over HTTP.
Code Quality The test suite spans 138 files and approximately 27,000 lines, covering unit, integration, and Playwright end-to-end tests — one of the more comprehensive suites found in a solo-maintained open-source project of this scale. Tests use pytest with parametrize, pytest-flask for request context, freezegun for time control, and requests-mock for isolating external calls. The codebase uses explicit error handling with structured validation and masked sensitive values (the MaskedString decorator and a log sanitizer prevent API tokens and private keys from appearing in outputs or logs). A SECURITY.md, CodeQL workflow, OSSF Scorecard badge, and codecov coverage reporting indicate active attention to supply-chain hygiene. CI runs on GitHub Actions with multi-platform Docker builds and a separate CodeQL analysis job.
What Makes It Unique Most certificate automation tools are thin wrappers around certbot or acme.sh. CertMate’s differentiators lie in the combination of breadth and depth that is otherwise only available in commercial products: per-provider multi-account DNS management with CNAME alias delegation, a tamper-evident hash-chain audit log for compliance evidence, a built-in OCSP responder and CRL distribution point for self-hosted PKI, a Model Context Protocol server for agentic AI certificate operations, S3-sovereign object storage that avoids US-jurisdiction cloud dependencies, and OIDC/SSO federation — all in a single self-hostable MIT-licensed container. The companion CertMate-ng tier (BSL 1.1) targets multi-tenant and NIS2-aligned enterprise deployments without fragmenting the open-source core.
Self-Hosting
CertMate is released under the MIT License, which grants unrestricted rights to use, modify, distribute, and incorporate the software in commercial products. There are no copyleft obligations, no user-count restrictions, and no requirement to share modifications. The only condition is preserving the copyright notice. Self-hosters and commercial deployments are equally permitted, and the license has no special carve-outs for SaaS use, internal tools, or resale.
Running CertMate yourself means owning the full operational surface: a Docker host or Kubernetes cluster, persistent volumes for certificate and settings storage, an SMTP relay or external notification service, and your own backup strategy on top of CertMate’s built-in atomic snapshots. The renewal scheduler (APScheduler with a SQLAlchemy job store) runs in-process, so uptime of the CertMate container is directly tied to certificate renewal reliability — if the container is down when a 30-day renewal window opens, the job queues and retries, but extended outages require operator attention. Vault, AWS Secrets Manager, or Azure Key Vault integrations add cloud IAM credential management to the operational scope. The project’s active release cadence (100+ releases, 110 commits/month) means frequent updates are available, but applying them is the operator’s responsibility.
For multi-tenant deployments, white-labelling, and NIS2-compliance posture management, the maintainer offers CertMate-ng under BSL 1.1 (source-available, not open-source), accessible by contacting the project author directly. BSL 1.1 restricts competing SaaS use of the codebase but does not affect the open-source MIT core. Compared to managed alternatives such as AWS Certificate Manager or Cloudflare’s certificate services, self-hosted CertMate provides full CA flexibility (including private and EU-sovereign CAs like Actalis) and on-premise key storage, at the cost of managing infrastructure availability, key rotation hygiene, and DR yourself.
Related Apps
Netdata
Monitoring · Devops
Real-time per-second metrics, ML-powered anomaly detection, and zero-config observability for any infrastructure.
Netdata
GPL 3.0Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Docker (Moby)
Devops · Developer Tools
The open-source container engine at the heart of Docker — a modular toolkit of runtime, build, and networking components for assembling container-based systems.