broker.yml. The authoritative source is schemas/broker.schema.json. Most editors (VS Code, JetBrains) will load it automatically if you reference the schema with a YAML # yaml-language-server: $schema=... comment or via your editor’s schema mapping.
Required top-level keys: server, policy, issuer.
server
| Field | Type | Default | Notes |
|---|---|---|---|
address | string | :8443 | Listen address. |
tls.cert | string | — | Required. Path to PEM server certificate. |
tls.key | string | — | Required. Path to PEM server key. |
tls.min_version | enum: 1.2, 1.3 | 1.2 | Minimum TLS version. |
mtls.agent_ca_bundle | string | — | Required. CA bundle used to verify agent identity certificates. |
read_header_timeout | duration | 5s | |
read_timeout | duration | 10s | |
write_timeout | duration | 60s | |
idle_timeout | duration | 120s |
address accepts any Go net.Listen syntax. Use :8443 to bind all interfaces; use 127.0.0.1:8443 and front with a reverse proxy if you need a custom termination model — keep in mind the broker requires mTLS on the connection that reaches it.
policy
| Field | Type | Default | Notes |
|---|---|---|---|
path | string | — | Required. Policy YAML file. |
watch | bool | false | Reload the policy on disk changes without restart. |
issuer
Currently acme is the only provider.
| Field | Type | Default | Notes |
|---|---|---|---|
provider | enum: acme | acme | |
acme.directory_url | string | — | Required. Use the staging directory while testing: https://acme-staging-v02.api.letsencrypt.org/directory. |
acme.account_email | string | — | Required. |
acme.account_key | string | — | Required. Path to ACME account private key. Created by the broker on first run if missing. |
acme.dns_provider | enum: cloudflare, httpreq | — | Required. DNS provider used for dns-01 challenges. |
acme.preferred_chain | string | — | Optional; defaults to the CA’s preferred chain. |
secrets — see below and Let’s Encrypt + dns-01.
secrets
| Field | Type | Default | Notes |
|---|---|---|---|
provider | enum: env, file, vault, openbao | env | |
vault.address | string | — | Required when provider is vault or openbao. |
vault.token | string | — | Inline token. Prefer token_file. |
vault.token_file | string | — | Path containing the Vault token. |
vault.mount_path | string | secret | KV engine mount. |
vault.kv_version | enum: 1, 2 | 2 | |
vault.key | string | value | Key inside the secret to read. |
vault.timeout | duration | 10s | |
vault.namespace | string | — | Vault Enterprise only. |
store
| Field | Type | Default | Notes |
|---|---|---|---|
driver | enum: sqlite, file | sqlite | |
path | string | /var/lib/certplane/broker.db | SQLite DB or JSON cache file. |
audit
| Field | Type | Default | Notes |
|---|---|---|---|
enabled | bool | true | |
failure_mode | enum | fail_open | If audit recording fails, fail_closed rejects the issuance request; fail_open permits it. |
mirror_to_log | bool | false | Also emit each audit event as a structured log line. |
certplane-broker -c <config> audit tail [--limit N].
rate_limits
0 disables the corresponding limit. Negative values are invalid.
logging
info, json, stdout.
Validation
certplane-broker rejects the config on startup if:
- Any required field is missing.
tls.min_versionis not1.2or1.3.- An ACME field required by
provider: acmeis missing. secrets.providerisvault/openbaowithoutvault.addressor with an invalidkv_version.store.driveris notsqliteorfile.audit.failure_modeis notfail_openorfail_closed.- Either rate-limit value is negative.