Certificate Lifecycle management
▲ 12 r/ssl

Certificate Lifecycle management

hi Guys,
I appreciate the time if you read all of this.
Certificates are one of those things that only get attention when they break something.

An internal service stops working.

A browser starts throwing trust warnings.

A customer-facing cert expires.

Someone asks where the private key is.

Nobody is quite sure who uploaded it, who can access it, or what else depends on it.

That’s the problem CertLocker is trying to solve.

CertLocker is a certificate and access control platform for teams running real infrastructure. The certificate side is built around visibility, control, and lifecycle management rather than just storing PEM

files somewhere and hoping everyone remembers renewal dates.

What CertLocker supports today:

- certificate inventory with search, paging, sorting, and group filters

- upload and management of PEM/CRT certificates

- optional private key storage with protected read paths

- certificate parsing for domains, SANs, issuer, validity dates, and fingerprints

- expiry tracking, including days-until-expiry visibility

- active, expired, and revoked status handling

- certificate download for authorized users

- certificate deletion for authorized users

- certificate tokens for controlled access workflows

- group-scoped certificate visibility

- role-based permissions for viewing, adding, downloading, and deleting certs

- audit logging around certificate actions

- dashboard visibility for renewable/expiring assets

- ACME workflow support for automated certificate operations

- DNS provider management for certificate automation workflows

The bigger idea is that certificates should not be treated as loose files.

They usually sit next to secrets, hosts, SSH access, bastions, service accounts, deployment scripts, and human operators. CertLocker connects those pieces together so a certificate is a managed asset with

ownership, permissions, expiry, audit history, and controlled access.

We're offering free registration and management here trust.certlocker.io
And we do offer an on-prem model. But you can check out the blog as well I'm pretty active and you can see the problems we are solving https://certlocker.io/blog/

u/SuccessFearless2102 — 6 days ago

Found older cards in my attic from 2001 2002

Hi i found these cards in my attic in a tin not sure how much they would be worth it just wanted to know the blue eyes are pretty played but all first edition. I would like to keep them or maybe try collect again. Any help would be great

u/SuccessFearless2102 — 6 days ago

What can I do to get them first customers??

Any tips of getting them first saas customers I have a budget of 150$ and am on all the social media and linkedin. It's a technical production for engineers and IT people. We haven't had much success. It just seems everyone we've reached out to is either at the wrong time for them or they never reply. I ran an ad campaign and got 100 clicks to my CTA page but no registrations.

reddit.com
u/SuccessFearless2102 — 7 days ago
▲ 11 r/devops

Certificate renewal and monitoring

For those who are not running in Kubernetes and have something to manage your SSL certificate renewals, what are you using? Certbot + Let's Encrypt? Windows guys, WinAcme?

How are you monitoring renewal dates? I know blackbox exporter does a good job out of the box.
Thanks

reddit.com
u/SuccessFearless2102 — 7 days ago
▲ 1 r/SaaS

Trying to get the first real CertLocker user / Test users and it’s harder than building the thing

I’ve been building CertLocker with my co-founder and I’m at that annoying stage where the product works, but getting the first proper user is somehow the hard bit. Or even any feedback inside our circles. So just almost giving up but to throw 4 months down the drain

It’s for small infra / DevOps teams that still have certs, secrets and server access spread all over the place.

We're targeting maybe people that our outside the normal top 3 clouds.

My perfect use case but there maybe more is

HAProxy boxes
Windows/IIS certs
internal apps
random VPS servers
OpenStack/private cloud
PEM files sitting around
SSH/RDP access
secrets in config files
spreadsheets for expiry dates
someone manually checking if renewals actually deployed

So if anyone is willing to give it a try that would be awesome. Completely free, hopefully you guys can get some use out of it.
:)

u/SuccessFearless2102 — 7 days ago
▲ 2 r/roastmystartup+1 crossposts

Made a Tool for certificate automation and other Devops Tasks

My friend and I have been working on a tool called CertLocker.

The reason we started this project is that we were having a lot of trouble with certificate renewals and checking certificates. We also noticed that companies we work with would give us their .pem and .ovpn files.

The problem was that secret information was all over the place, in settings, passwords, config files and so on.

So we wanted to build something that could do a few useful things.

We wanted CertLocker to be able to use the ACME protocol to handle certificates, keep secrets safe, manage access to computers and servers, and have a way to track what is happening.

We were doing a lot of work with computer installs, virtual private servers and private clouds.

Do you use tools for each of these things?

I’m aware AWS, GCP and Azure have a lot of this built in, but that does not cover all bare metal, VPS, private cloud or cases where you do not want vendor lock-in.

Do you think CertLocker is trying to do too much in one tool?

Thanks, looking forward to feeback
https://youtu.be/nXZHaCNfBTs 90 seconds video to give you visual

u/SuccessFearless2102 — 8 days ago
▲ 0 r/devops

HAProxy native ACME worked. Proving it served the new cert was the hard part.

Main Post

I recently spent some time getting HAProxy 3.3 ACME to work with a real certificate delivery flow.

It wasn't a run certbot and copy a file" setup. I wanted HAProxy to start fetch a certificate through ACME keep it renewed and serve it at the edge without any help.

It works now. I learned a hard lesson:

"ACME succeeded" and "production is serving the right certificate" are not the same thing.

The issues I ran into were all things that matter at 2am:

  • HAProxy needs a certificate file before it can bind to port 443 even if ACME is going to replace it later.

  • If the first file is a throwaway self-signed cert you need to be clear about whether HAProxy's reusing that key or the real key.

  • HAProxy can fetch a certificate. Then discard it if the public key does not match the private key it used for the CSR.

  • reuse-key on matters if you expect HAProxy to reuse an existing PEM key of generating a fresh one per order.

  • Key type and curve have to match. ECDSA and bits 256 are not the same as some EC key.

  • The admin socket can exist before HAProxy is actually listening on it. If your startup script fires one command and gives up on Connection refused you can boot into a self-signed cert forever.

  • A config check is not always the same as validating the startup path.

  • ACME error responses need nonce handling or one real error turns into a pile of invalid nonce noise.

  • The file on disk is less important than what the process has loaded and what clients receive over TLS.

The private key mismatch was the problem.

HAProxys ACME flow is like this:

  1. Generate a key or reuse one from an existing PEM if configured.

  2. Build a CSR with the public key.

  3. Send the ACME order/finalize flow.

  4. Download the certificate.

  5. Check that the downloaded certificates key matches the private key used for the CSR.

  6. If it does not match, discard it.

That behaviour makes sense. The problem was our certificate source returned a -provisioned certificate from a vault rather than issuing a fresh certificate for whatever CSR HAProxy had just generated.

So HAProxy did the ACME flow downloaded the cert decided the key did not match and kept serving the old material. From the outside a lot of things looked healthy until you checked the endpoint.

The solution was to split the PEM roles:

  • bootstrap.pem exists so HAProxy can bind on first start.

  • acme.pem is the ACME staging material. Contains the private key HAProxy should reuse for the CSR.

  • live.pem is the thing bound to port 443.

On startup:

  1. Seed the ACME private key before HAProxy starts.

  2. Validate that the staged key and certificate public key match.

  3. Start HAProxy with live.pem.

  4. Trigger ACME through the runtime/admin socket once HAProxy is actually accepting socket connections.

  5. Let HAProxy stage the ACME result.

  6. Independently verify the staged key/cert match.

  7. Promote the verified bundle into live.pem.

  8. Probe the TLS endpoint and record what it is serving.

The verification commands were important:


# Is the staged ACME cert loaded?

echo "show ssl cert @cert-store/name" | socat stdio /var/run/haproxy/admin.sock

# Is the cert loaded?

echo "show ssl cert /usr/local/etc/haproxy/certs/live.pem" | socat stdio /var/run/haproxy/admin.sock

# What does the outside world actually get?

s_client -connect 127.0.0.1:443 -servername example.com </dev/null 2>&1 \

| grep -E "subject|issuer|Verify|Protocol|Cipher"

The main thing I would change earlier is failing loudly before HAProxy starts if the seeded key material is wrong. A running HAProxy process with a bootstrap cert is worse than a dead deploy, in this case because it looks healthy until someone checks the handshake.

For people running HAProxy at the edge: how do you treat certificate automation?

Do you consider the job done when ACME renews, when HAProxy reloads or only after a probe confirms what port 443 is actually serving?

If you are using HAProxy native ACME already are you doing runtime API updates, full reloads or something else?

reddit.com
u/SuccessFearless2102 — 8 days ago

Brutal Honest Opinions please

We built CertLocker because certs, secrets, SSH and RDP access were always messier in the real world than they looked on paper.

Hey all,

I’m Sean, a DevOps engineer and one of the people building CertLocker.

A lot of my background has been in finance, trading and banking-style infrastructure. In those environments, trust matters, audit matters, uptime matters — but in reality, you still see the same problems everywhere:

Certificates stored in random places.
Shared passwords passed around.
SSH keys living too long.
RDP access with very little visibility.
HAProxy cert renewals held together by scripts.
Windows servers, OpenStack, VMs, bare metal and internal apps sitting outside Kubernetes.
Auditors asking awkward but fair questions.

That is really why we started building CertLocker.

Most tools we looked at were either Kubernetes-first, too enterprise-heavy, or solved only one piece of the problem. We wanted something for the infrastructure teams managing the messy middle: real servers, real certs, real secrets, real access, and real audit requirements.

CertLocker brings those operational trust pieces together in one place:

  • TLS certificate inventory and expiry tracking
  • ACME automation
  • HAProxy certificate delivery
  • Secrets and private secrets
  • SSH access tokens
  • Browser-based SSH access
  • Browser-based RDP / remote desktop access
  • Bastion access
  • Endpoint probes
  • Groups, RBAC and audit trails
  • SaaS or on-prem / VPS install

We’re now looking for beta testers and early feedback from DevOps engineers, SREs, sysadmins, MSPs, infrastructure teams, and anyone who has had to deal with certificate renewals, secrets, SSH/RDP access, bastions, audits or “temporary” scripts that became production-critical.

This is not a polished sales pitch. We genuinely want to know:

Would this solve a real pain you’ve seen?

Or would you already solve this with Vault, step-ca, Ansible, scripts, Guacamole, cert-manager, password managers, or something else?

Site: https://certlocker.io
Technical write-ups: https://certlocker.io/blog

If this sounds relevant to your world, I’d love to hear your thoughts, feedback, objections, or use cases.

reddit.com
u/SuccessFearless2102 — 9 days ago