> ## Documentation Index
> Fetch the complete documentation index at: https://certplane.kippel.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Certplane: certificate control plane for your infrastructure

> Certplane automates TLS certificate issuance and renewal for non-Kubernetes hosts using machine identity, declarative policy, and host-local key generation.

Certplane is a lightweight certificate control plane that manages public TLS certificates for your servers and services — without requiring Kubernetes or any cloud-specific tooling. It uses machine identity (issued by your internal CA) to authenticate hosts, enforces a declarative policy file that controls exactly which certificates each host can request, and keeps private keys local to each machine at all times.

<CardGroup cols={2}>
  <Card title="Quick start" icon="rocket" href="/quickstart">
    Install the broker and agent, enroll your first host, and get a certificate end-to-end.
  </Card>

  <Card title="How it works" icon="circle-info" href="/how-it-works">
    Understand the enrollment and renewal flow before you deploy.
  </Card>

  <Card title="Ansible roles" icon="server" href="/guides/ansible">
    Deploy the broker and agent with the official `certplane_broker` and `certplane_agent` roles.
  </Card>

  <Card title="Policy reference" icon="shield-check" href="/policy/overview">
    Define which hosts can request which certificates using the declarative policy file.
  </Card>
</CardGroup>

## Key features

* **IaC-first design** — Every piece of Certplane configuration (`broker.yml`, `policy.yml`, `agent.yml`) is a plain YAML file rendered from your inventory by your existing config management tool. There is no web UI or runtime API for policy changes. Official Ansible roles ship in the [`ansible/`](https://github.com/TaconeoMental/Certplane/tree/main/ansible) directory of the repo. See the [Ansible roles guide](/guides/ansible).
* **Host-local key generation** — Private keys are generated on each host and never transmitted. Only CSRs leave the machine.
* **Machine identity authentication** — Agents authenticate to the broker with mTLS using identity certificates issued by your internal CA (`step-ca`).
* **Declarative policy** — A single YAML file controls which host identities can request which certificate profiles. With `policy.watch: true` the broker reloads policy changes in place, without a restart.
* **Automatic renewal** — The agent monitors certificate expiry and renews ahead of time. Renewal windows are configurable per certificate.
* **Post-renewal hooks** — Run any shell command after a certificate is installed (e.g., `systemctl reload nginx`).
* **Audit log** — Every issuance decision is recorded by the broker and queryable with `certplane-broker audit tail`.

## What you get out of the box

| Component          | What it does                                                                                                                                                                                                                                                                                                                                       |
| ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `certplane-broker` | Central mTLS API that authenticates agents, enforces policy, talks to ACME, caches issued certificates, and records audit events.                                                                                                                                                                                                                  |
| `certplane-agent`  | Runs on each host. Enrolls with `step-ca`, generates service keys locally, submits CSRs to the broker, installs returned bundles, and runs reload hooks.                                                                                                                                                                                           |
| JSON Schemas       | [`broker.schema.json`](https://github.com/TaconeoMental/Certplane/blob/main/schemas/broker.schema.json), [`agent.schema.json`](https://github.com/TaconeoMental/Certplane/blob/main/schemas/agent.schema.json), and [`policy.schema.json`](https://github.com/TaconeoMental/Certplane/blob/main/schemas/policy.schema.json) for editor validation. |
| Ansible roles      | `certplane_broker` and `certplane_agent` for end-to-end deployment.                                                                                                                                                                                                                                                                                |
