Quick start
Install the broker and agent, enroll your first host, and get a certificate end-to-end.
How it works
Understand the enrollment and renewal flow before you deploy.
Ansible roles
Deploy the broker and agent with the official
certplane_broker and certplane_agent roles.Policy reference
Define which hosts can request which certificates using the declarative policy file.
Key features
- IaC-first design — Every piece of Certplane configuration (
broker.yml,policy.yml,agent.yml) is a plain YAML file rendered from your inventory by your existing config management tool. There is no web UI or runtime API for policy changes. Official Ansible roles ship in theansible/directory of the repo. See the Ansible roles guide. - Host-local key generation — Private keys are generated on each host and never transmitted. Only CSRs leave the machine.
- Machine identity authentication — Agents authenticate to the broker with mTLS using identity certificates issued by your internal CA (
step-ca). - Declarative policy — A single YAML file controls which host identities can request which certificate profiles. With
policy.watch: truethe broker reloads policy changes in place, without a restart. - Automatic renewal — The agent monitors certificate expiry and renews ahead of time. Renewal windows are configurable per certificate.
- Post-renewal hooks — Run any shell command after a certificate is installed (e.g.,
systemctl reload nginx). - Audit log — Every issuance decision is recorded by the broker and queryable with
certplane-broker audit tail.
What you get out of the box
| Component | What it does |
|---|---|
certplane-broker | Central mTLS API that authenticates agents, enforces policy, talks to ACME, caches issued certificates, and records audit events. |
certplane-agent | Runs on each host. Enrolls with step-ca, generates service keys locally, submits CSRs to the broker, installs returned bundles, and runs reload hooks. |
| JSON Schemas | broker.schema.json, agent.schema.json, and policy.schema.json for editor validation. |
| Ansible roles | certplane_broker and certplane_agent for end-to-end deployment. |