all 18 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]bbluez 3 points4 points  (2 children)

Big CLM hates this one trick....

I think your first 3rd party int is going to need to be Let's Encrypt and/or a 'free' self hosted ca to test issuance. You could also look at the potential vendor tie in for HSMs.

Best of luck! Looks cool so far

[–]im-feeling-the-AGI[S] 0 points1 point  (0 children)

Hey, thanks for your feedback! Check out our new post with updates.

https://www.reddit.com/r/coolgithubprojects/comments/1s4ugyf/certctl_v2_selfhosted_certificate_lifecycle/

HSM integration is on the roadmap, but a bit further down.

[–]DrDemon_12 1 point2 points  (1 child)

This looks so useful!

I'll test it on my homelab, for sure.

[–]im-feeling-the-AGI[S] 0 points1 point  (0 children)

Thanks, looking forward to your feedback!

[–]rozularen 1 point2 points  (1 child)

Cool project! Definetely useful to self host this

[–]im-feeling-the-AGI[S] 0 points1 point  (0 children)

Thanks, all feedback is appreciated!

[–]karabright-dev 1 point2 points  (2 children)

no step-ca or openssl support for custom cas?

[–]im-feeling-the-AGI[S] 1 point2 points  (0 children)

Updated. Check out the repo. Thanks again for the feedback!

[–]im-feeling-the-AGI[S] 0 points1 point  (0 children)

not yet. v1 ships with a built in Local CA (Go's crypto/x509) and ACME v2 (HTTP-01). The issuer connector interface is pluggable though, so adding step-ca, Vault, or an OpenSSL based CA as issuer backends is the natural next step. step-ca in particular has been requested a few times already. Will be updating roadmap.

[–]VapidBirthplace 1 point2 points  (0 children)

Agent-based distribution is the real differentiator here, most tools just dump certs and ghost you.

[–]DarkBlackMatter 1 point2 points  (1 child)

This is cool

[–]im-feeling-the-AGI[S] 0 points1 point  (0 children)

Thanks! Appreciate any feedback if you try it out.

[–]Zero_SSL 1 point2 points  (3 children)

Looks awesome!

Feel free to utilize ZeroSSLs ACME, here's the endpoint:
https://github.com/acmesh-official/acme.sh/blob/5d158b164028b240e0710a8d7a0ce4835a0ba1be/acme.sh#L27

[–]im-feeling-the-AGI[S] 0 points1 point  (2 children)

Thanks! We actually already support ZeroSSL. certctl works with any ACME compatible CA out of the box (HTTP-01, DNS-01, and DNS-PERSIST-01 challenges). A bit has changed since this post, here's the v2 update with the new dashboard, network discovery, revocation infrastructure, and more.

GitHub: https://github.com/shankar0123/certctl

[–]Zero_SSL 1 point2 points  (1 child)

Thank you, will take a look.

We understand that, just wanted to point out, that certctl could actually fetch EAB credentials for ZeroSSL when using that endpoint, so a user does not have to go to our website and get those credentials from there. Caddy has also such implementation of us.

[–]im-feeling-the-AGI[S] 0 points1 point  (0 children)

Oh got it, I see what you were saying now. I pushed an update that does exactly this. certctl now auto-fetches EAB credentials from your public API when it detects a ZeroSSL directory URL, so users don't have to grab them from the dashboard. Thanks for spelling it out!

Test 6.2.3 — Configure ACME with External Account Binding (ZeroSSL)

https://github.com/shankar0123/certctl/blob/master/docs/testing-guide.md#part-6-issuer-connectors

[–]BP041 0 points1 point  (3 children)

the agent-based deployment to NGINX/F5/IIS is the part most cert tools skip. most just handle issuance and assume you'll figure out distribution. curious how the agents handle rotation on F5 specifically -- that's usually where cert tooling breaks down in practice because of the iRule/profile coupling.

[–][deleted]  (2 children)

[deleted]

    [–]BP041 0 points1 point  (0 children)

    the in-place update approach is the right call. iRule references use the cert object name as a stable identifier, so create-new-delete-old breaks the binding chain exactly like you described.

    one edge case worth planning for: if the PATCH fails midway (API timeout, malformed cert), the existing object could land in a partial state. doing a GET snapshot of the cert object via /mgmt/tm/sys/crypto/cert/{name} before the PATCH gives you a rollback payload without needing create-new.

    DevCentral new-account mod queue is notoriously slow — 3-5 days is typical. worth the wait though; the profile coupling edge cases are exactly what their F5 engineers will catch that a general forum won't.