Skip to main content

Documentation Index

Fetch the complete documentation index at: https://certplane.kippel.org/llms.txt

Use this file to discover all available pages before exploring further.

Certplane is a lightweight certificate control plane that manages public TLS certificates for your servers and services — without requiring Kubernetes or any cloud-specific tooling. It uses machine identity (issued by your internal CA) to authenticate hosts, enforces a declarative policy file that controls exactly which certificates each host can request, and keeps private keys local to each machine at all times.

Quick Start

Install the agent and broker, enroll your first host, and get a certificate in minutes.

How It Works

Understand the enrollment and renewal flow before you deploy.

Broker Setup

Configure and run the central broker that issues certificates to your agents.

Policy Reference

Define which hosts can request which certificates using the declarative policy file.

Key features

  • Host-local key generation — Private keys are generated on each host and never transmitted. Only CSRs leave the machine.
  • Machine identity authentication — Agents authenticate to the broker with mTLS using identity certificates issued by your internal CA (step-ca).
  • Declarative policy — A single YAML file controls which host identities can request which certificate profiles. Changes take effect without restarting the broker.
  • Automatic renewal — The agent monitors certificate expiry and renews ahead of time, with configurable renewal windows.
  • Post-renewal hooks — Run any shell command after a certificate is installed (e.g., systemctl reload nginx).
  • ACME integration — The broker obtains public certificates from Let’s Encrypt using dns-01 or http-01 challenges.
  • Flexible secrets — Store sensitive values (DNS API tokens, ACME account keys) in environment variables, files, HashiCorp Vault, or OpenBao.

Components

Certplane consists of two binaries:
ComponentRole
certplane-agentRuns on each host. Generates keys, requests certificates via the broker, renews them automatically.
certplane-brokerCentral server. Enforces policy, communicates with your public CA via ACME, caches issued certificates.
1

Deploy the broker

Set up the broker with your ACME provider and policy file. See Broker Setup.
2

Enroll your first host

Generate a bootstrap token, write it to your host, and run certplane-agent enroll. See Agent Enrollment.
3

Start the agent

Run certplane-agent run to start the certificate renewal loop. See Running the Agent.
4

Configure your policy

Define certificate profiles and authorize hosts in your policy file. See Policy Overview.