# Certplane

## Docs

- [Agent configuration reference for Certplane](https://certplane.kippel.org/configuration/agent.md): Every YAML field the Certplane agent reads: state directory, identity enrollment via step-ca, broker connection, managed certificates list, and logging.
- [Broker configuration reference for Certplane](https://certplane.kippel.org/configuration/broker.md): Every YAML field the Certplane broker reads: server TLS and mTLS, policy, ACME issuer, secrets provider, store, audit logging, and rate limits.
- [Secrets management in Certplane](https://certplane.kippel.org/configuration/secrets.md): Configure Certplane's secrets provider to keep DNS tokens and ACME keys out of broker.yml. Choose from env, file, vault, or openbao providers.
- [Issue certificates with Let's Encrypt and DNS-01](https://certplane.kippel.org/guides/lets-encrypt-dns.md): Configure Certplane's broker to obtain publicly-trusted certificates from Let's Encrypt using the dns-01 ACME challenge with Cloudflare.
- [Reload services automatically after certificate renewal](https://certplane.kippel.org/guides/reload-commands.md): Use reload_command in the agent config to restart or reload services automatically whenever Certplane renews and writes a certificate to disk.
- [Store Certplane secrets in HashiCorp Vault](https://certplane.kippel.org/guides/vault-secrets.md): Configure Certplane's broker to read sensitive credentials like DNS API tokens directly from a HashiCorp Vault or OpenBao KV secrets engine.
- [How Certplane works: identity, policy, and certificates](https://certplane.kippel.org/how-it-works.md): A two-phase flow — enrollment then renewal — where each host proves identity to the broker, which enforces policy and calls your public CA via ACME.
- [Certplane: certificate control plane for your infrastructure](https://certplane.kippel.org/introduction.md): Certplane automates TLS certificate issuance and renewal for non-Kubernetes hosts using machine identity, declarative policy, and host-local key generation.
- [Registering hosts in the Certplane policy file](https://certplane.kippel.org/policy/hosts.md): Add hosts to the policy file to authorize certificate requests, mapping each host's identity CN to the profiles it is permitted to request from the broker.
- [Certplane policy: control certificate access](https://certplane.kippel.org/policy/overview.md): The Certplane policy file is the central control document that defines certificate profiles and controls which hosts are permitted to request each profile.
- [Certificate profiles in the Certplane policy file](https://certplane.kippel.org/policy/profiles.md): Define named certificate profiles that set the cert type, DNS names, ACME challenge method, and renewal timing for each class of certificate.
- [Get started with Certplane](https://certplane.kippel.org/quickstart.md): Deploy the broker, enroll your first host with a bootstrap token, and obtain a public TLS certificate end-to-end in a single workflow.
- [Enroll a host with the Certplane agent](https://certplane.kippel.org/setup/agent-enroll.md): Complete the one-time enrollment process that gives a host its machine identity certificate from your internal CA, enabling broker access.
- [Run the Certplane agent renewal loop](https://certplane.kippel.org/setup/agent-run.md): Start certplane-agent run to request service certificates from the broker, write them to disk, run reload commands, and renew before expiry.
- [Deploy the Certplane broker](https://certplane.kippel.org/setup/broker.md): Configure and run certplane-broker: set up TLS, mutual TLS for agents, configure ACME certificate issuance, and point the broker at a policy file.