Prerequisites
Before you begin, make sure you have the following in place:
- step-ca — A running step-ca instance reachable by your hosts. This is the internal CA that issues agent identity certificates.
- Let’s Encrypt access — The broker uses ACME to obtain public certificates. You need a valid email address for the ACME account.
- A DNS provider supported for dns-01 — Currently
cloudflareorhttpreq. Wildcard profiles requiredns-01. - The Certplane binaries —
certplane-brokeron your broker host andcertplane-agenton each managed host. Build withmakefrom the source repo.
Deploy the broker
The broker is the central server that enforces policy and obtains certificates from your public CA. Create The The broker listens on
/etc/certplane/broker.yml (this mirrors examples/config/broker.yml):broker.yml
server.mtls.agent_ca_bundle must be the CA bundle that signed (or will sign) your agent identity certificates — typically the step-ca root or intermediate.Start the broker::8443 by default and requires mTLS from every connecting agent. For the full configuration reference, see Broker configuration.Create a policy file
The policy file defines which certificate profiles exist and which hosts may request each one. Create For the full reference, see Policy overview.
/etc/certplane/policy.yml:policy.yml
- profiles — Each named profile sets
type(wildcardormulti_san), alloweddns_names, ACME settings (acme.challengeandacme.credentials), and an optionalrenew_beforewindow. - hosts — Each entry maps a label to an
identity(the CN of the identity certificate issued bystep-ca) and listsprofilesthe host may request. Requests for any other profile are rejected.
Enroll your first host
Enrollment gives a host its identity certificate. The agent contacts Write the token to the host at the path referenced in the agent config (e.g., Run enrollment:The agent generates
step-ca once using a short-lived bootstrap token, generates an ECDSA key pair locally, and stores the resulting identity.crt.Generate a bootstrap token on your step-ca instance:/etc/certplane/bootstrap-token, mode 0600).Create the agent config at /etc/certplane/agent.yml (mirrors examples/config/agent.yml):agent.yml
identity.key locally, creates a CSR, and submits it to step-ca along with the bootstrap token. On success, identity.crt is written and the bootstrap token file is deleted.The bootstrap token is consumed during enrollment and cannot be reused. If enrollment fails and you need to retry, generate a new token from
step-ca. See Agent enrollment for troubleshooting.Run the agent
Once the host is enrolled, run the renewal loop. The agent is a one-shot binary — run it on a timer (the Ansible role ships a On each run, the agent:
systemd timer; see Running the agent for the standalone unit).- Renews the identity certificate if it expires within
identity.renew_before. - For each entry under
certificates:- Ensures a local ECDSA service key exists at
key(generated if missing, reused otherwise). - Skips the certificate if a valid one exists and is not yet within
renew_beforeof expiry. - Otherwise builds a CSR with the configured
dns_names, calls the broker over mTLS, validates that the returned bundle matches the local key and requested DNS names, writescert,chain, andfullchain, and runsreload_commandif set.
- Ensures a local ECDSA service key exists at
Next steps
- Ansible roles guide — production deployment with the official roles.
- Broker configuration and Agent configuration — full schema reference.
- Policy overview — profile and host model.
- Let’s Encrypt + dns-01 — DNS provider credentials for wildcards.