CertMate is an open-source SSL certificate management system designed for enterprises and DevOps teams managing certificates across distributed infrastructure. It solves the complexity of manual certificate handling by automating issuance, renewal, and deployment with zero downtime, supporting multiple DNS providers and certificate authorities. Built for modern environments, it integrates with Cloudflare, AWS Route53, Azure DNS, Google Cloud DNS, and private CAs, while providing a secure REST API and web dashboard for centralized control.
The system is containerized with Docker and Kubernetes compatibility, uses Python 3.9+, and supports pluggable storage backends like HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault. It includes real-time monitoring via SSE, audit logging, scoped API keys, and automated deploy hooks to reload Nginx/Apache. All operations are secured with RBAC, HMAC-signed webhooks, and proper file permissions (600/700).
What You Get
- Multi-DNS Provider Support - Supports 22 DNS providers including Cloudflare, AWS Route53, Azure DNS, Google Cloud DNS, DigitalOcean, Hetzner, GoDaddy, and PowerDNS with multi-account support for staging/production separation.
- Multiple CA Providers - Works with Let’s Encrypt (free), DigiCert ACME with External Account Binding (EAB), and Private CAs (e.g., step-ca) with custom trust bundles and ACME compatibility.
- Automatic Certificate Renewal - Certificates renew automatically 30 days before expiry with intelligent scheduling and deploy hooks to reload Nginx/Apache or run custom scripts.
- REST API with Swagger/OpenAPI - Full programmatic control via REST endpoints with interactive documentation at /docs/ and /redoc/, including certificate creation, backup, and DNS provider configuration.
- Role-Based Access Control (RBAC) - Three-tier permissions (viewer, operator, admin) with scoped API keys and bearer token authentication for secure access control.
- Certificate Storage Backends - Supports local filesystem (600/700 permissions), Azure Key Vault, AWS Secrets Manager, HashiCorp Vault, and Infisical with migration and backward compatibility.
- Web Dashboard with Real-Time Updates - Modern UI with SSE-powered live status, command palette (Cmd+K/Ctrl+K), keyboard shortcuts, dark mode, and activity timeline for all certificate events.
- Unified Backup & Recovery - Atomic snapshots of certificates and settings with automatic and manual backup creation, configurable retention policies, and simple restore via API or UI.
- Deploy Hooks & Webhooks - Execute shell commands post-issuance (e.g., systemctl reload nginx) and send HMAC-signed (SHA-256) webhooks to Slack, Discord, or custom endpoints.
- Client Certificate Management - Full lifecycle support for client certificates including OCSP responder, CRL distribution, batch operations, and audit logging.
- Multi-Account Support - Manage multiple DNS provider accounts per provider (e.g., separate Cloudflare accounts for prod and staging) with domain alias and CNAME delegation for ACME challenges.
- Monitoring & Logging - Prometheus metrics, structured JSON logging, rate limit awareness for Let’s Encrypt, and audit logs tracking all certificate lifecycle events.
Common Use Cases
- Managing certificates across multi-cloud environments - A DevOps team uses CertMate to automate TLS certificates across AWS, Azure, and GCP DNS zones with separate accounts for staging and production, ensuring consistent, zero-downtime renewals.
- Running a private PKI for internal services - An enterprise IT team deploys CertMate with a private CA (step-ca) to issue and manage certificates for microservices, with automatic CRL and OCSP support and Vault-backed storage.
- Automating SSL for SaaS applications with custom domains - A SaaS provider uses CertMate to issue wildcard certificates for customer domains via Cloudflare and GoDaddy DNS, with deploy hooks to reload their load balancer after renewal.
- Securing Kubernetes clusters with automated cert management - A platform engineer integrates CertMate into their Kubernetes cluster to automatically request and renew certificates from Let’s Encrypt using AWS Route53, with secrets stored in HashiCorp Vault.
Under The Hood
Architecture
- Modular Flask application built with a factory pattern that cleanly separates configuration, routing, and business logic through dependency injection
- Layered design with REST endpoints delegating to service-layer components, which interact with domain models and external APIs while abstracting persistence via file-based storage
- Centralized dependency container manages singleton services like metrics, logging, and certificate handlers, eliminating global state and promoting testability
- Background tasks are orchestrated via APScheduler integrated into the container, with health checks and production-grade WSGI serving ensuring reliability
Tech Stack
- Python 3.12 backend powered by Flask and Flask-RESTx for REST APIs with built-in Swagger documentation
- Production-ready WSGI serving with Gunicorn, enhanced by tini for signal handling and Docker multi-stage builds for minimal, secure runtime images
- Frontend assets managed through Tailwind CSS with npm-based build pipelines, decoupled from the backend
- Comprehensive testing infrastructure with pytest, parametrized tests, and Docker-based end-to-end scenarios
- Infrastructure orchestrated via docker-compose with optional reverse proxy, health endpoints, and strict container security policies
Code Quality
- Extensive test coverage spanning unit, integration, and end-to-end scenarios with clear separation of mocked and real-environment tests
- Robust error handling with structured validation, masked sensitive data handling, and graceful degradation for misconfigurations
- Clean, modular codebase with consistent naming, well-defined layer boundaries, and explicit configuration schemas
- Strong type safety and input validation prevent malformed secrets from being persisted, supported by comprehensive linting and regression testing
What Makes It Unique
- Native ACME-DNS integration enables fully automated DNS validation without exposing primary DNS credentials
- MaskedString decorator automatically obfuscates sensitive keys in API responses, preventing accidental leakage
- Extensible plugin architecture allows seamless addition of niche DNS providers through declarative models
- Built-in OCSP responder and CRL manager provide real-time revocation enforcement without external dependencies
- Enterprise-grade client certificate management with usage-based classification and automated revocation workflows