Skip to main content
Certplane is a lightweight certificate control plane that manages public TLS certificates for your servers and services — without requiring Kubernetes or any cloud-specific tooling. It uses machine identity (issued by your internal CA) to authenticate hosts, enforces a declarative policy file that controls exactly which certificates each host can request, and keeps private keys local to each machine at all times.

Quick start

Install the broker and agent, enroll your first host, and get a certificate end-to-end.

How it works

Understand the enrollment and renewal flow before you deploy.

Ansible roles

Deploy the broker and agent with the official certplane_broker and certplane_agent roles.

Policy reference

Define which hosts can request which certificates using the declarative policy file.

Key features

  • IaC-first design — Every piece of Certplane configuration (broker.yml, policy.yml, agent.yml) is a plain YAML file rendered from your inventory by your existing config management tool. There is no web UI or runtime API for policy changes. Official Ansible roles ship in the ansible/ directory of the repo. See the Ansible roles guide.
  • Host-local key generation — Private keys are generated on each host and never transmitted. Only CSRs leave the machine.
  • Machine identity authentication — Agents authenticate to the broker with mTLS using identity certificates issued by your internal CA (step-ca).
  • Declarative policy — A single YAML file controls which host identities can request which certificate profiles. With policy.watch: true the broker reloads policy changes in place, without a restart.
  • Automatic renewal — The agent monitors certificate expiry and renews ahead of time. Renewal windows are configurable per certificate.
  • Post-renewal hooks — Run any shell command after a certificate is installed (e.g., systemctl reload nginx).
  • Audit log — Every issuance decision is recorded by the broker and queryable with certplane-broker audit tail.

What you get out of the box

ComponentWhat it does
certplane-brokerCentral mTLS API that authenticates agents, enforces policy, talks to ACME, caches issued certificates, and records audit events.
certplane-agentRuns on each host. Enrolls with step-ca, generates service keys locally, submits CSRs to the broker, installs returned bundles, and runs reload hooks.
JSON Schemasbroker.schema.json, agent.schema.json, and policy.schema.json for editor validation.
Ansible rolescertplane_broker and certplane_agent for end-to-end deployment.