certplane-broker on a single host. For the full schema reference, see Broker configuration. To automate everything below with Ansible, see the Ansible roles guide.
Prerequisites
- A reachable
step-ca(used to issue agent identities — the broker only needs its CA bundle, not credentials). - A TLS server certificate and key for the broker’s mTLS API. This can be issued by
step-caor any other CA your agents will trust. - The CA bundle that signs your agent identity certificates (typically the
step-caroot or intermediate). - A supported ACME provider account email — the broker creates the ACME account on first use.
- DNS provider credentials for
dns-01challenges, if you plan to issue wildcards. Supported:cloudflare,httpreq.
Filesystem layout
The recommended layout, matching thecertplane_broker Ansible role:
certplane system user owns /var/lib/certplane and the ACME account key.
Minimum config
/etc/certplane/broker.yml
schemas/broker.schema.json.
CLI
The broker binary is a Cobra app with the global-c / --config flag and subcommands:
| Command | Purpose |
|---|---|
certplane-broker -c <config> serve | Run the HTTPS/mTLS API. |
certplane-broker -c <config> policy validate --policy <path> | Compile and validate a policy file. Prints the policy hash plus profile and identity counts. |
certplane-broker -c <config> certs list | Dump cached certificate bundles as JSON. |
certplane-broker -c <config> audit tail [--limit N] | Stream recent audit events as JSON lines. |
-c is required for every subcommand.
systemd unit
Thecertplane_broker role ships this unit. To run by hand:
/etc/systemd/system/certplane-broker.service
Verify it is running
/readyz returns 503 policy not loaded until the policy file is present and parses.
The issuance endpoint (POST /v1/certificates) requires a valid agent client certificate and is normally only called by certplane-agent.
Policy hot reload
Setpolicy.watch: true to reload the policy file in place when its contents change on disk. No restart is needed. The broker logs the new policy hash, which you can correlate with the audit log.
Next steps
- Agent enrollment — bring up your first host.
- Policy overview — write the policy file.
- Vault and OpenBao secrets — pull DNS credentials from Vault instead of env.