r/ssl

Certificate Lifecycle management
▲ 12 r/ssl

Certificate Lifecycle management

hi Guys,
I appreciate the time if you read all of this.
Certificates are one of those things that only get attention when they break something.

An internal service stops working.

A browser starts throwing trust warnings.

A customer-facing cert expires.

Someone asks where the private key is.

Nobody is quite sure who uploaded it, who can access it, or what else depends on it.

That’s the problem CertLocker is trying to solve.

CertLocker is a certificate and access control platform for teams running real infrastructure. The certificate side is built around visibility, control, and lifecycle management rather than just storing PEM

files somewhere and hoping everyone remembers renewal dates.

What CertLocker supports today:

- certificate inventory with search, paging, sorting, and group filters

- upload and management of PEM/CRT certificates

- optional private key storage with protected read paths

- certificate parsing for domains, SANs, issuer, validity dates, and fingerprints

- expiry tracking, including days-until-expiry visibility

- active, expired, and revoked status handling

- certificate download for authorized users

- certificate deletion for authorized users

- certificate tokens for controlled access workflows

- group-scoped certificate visibility

- role-based permissions for viewing, adding, downloading, and deleting certs

- audit logging around certificate actions

- dashboard visibility for renewable/expiring assets

- ACME workflow support for automated certificate operations

- DNS provider management for certificate automation workflows

The bigger idea is that certificates should not be treated as loose files.

They usually sit next to secrets, hosts, SSH access, bastions, service accounts, deployment scripts, and human operators. CertLocker connects those pieces together so a certificate is a managed asset with

ownership, permissions, expiry, audit history, and controlled access.

We're offering free registration and management here trust.certlocker.io
And we do offer an on-prem model. But you can check out the blog as well I'm pretty active and you can see the problems we are solving https://certlocker.io/blog/

u/SuccessFearless2102 — 6 days ago
▲ 22 r/ssl

NATSSL: Just another SSL self hosted CA for your private network

NATSSL (Zero-Configuration Distributed TLS for Private Infrastructure) is a lightweight, open-source utility written in Go (93.2%). The project is a tool for deploying your own trusted Root Certificate Authority (Root CA) inside isolated or private networks without relying on the cloud or third-party services.

🛠️ Key Capabilities
The project is split into two logical roles packaged within a single executable file (Single Binary)

Master Mode (Master / CA)

Root Certificate Generation: Automatically creates a Root CA with a 10-year validity period.
Administrative Issuance: Allows the administrator to issue certificates (valid for 1 year) via CLI for any internal domains (.local, .internal), IP addresses, and Wildcard domains (*.internal).
Revocation Management: Supports certificate revocation by serial number and synchronization of the Certificate Revocation List (CRL) with clients.
Local Database: Uses an embedded SQLite database (compiled without CGO) to track issued certificates.

Client Mode (Client)

Automatic Integration: Upon startup, it independently installs the Root CA certificate into the trusted trust stores of the operating system and the Firefox browser.
Auto-Registration: Automatically sends a request to the master server to obtain its own mTLS identification.
Local Certificates: The client can independently request and renew certificates for localhost / 127.0.0.1 via a CSR (Certificate Signing Request) workflow.
Fault Tolerance (ReadOnly): If the master server becomes unavailable, the client continues to operate in "read-only" mode using cached data.

🔄 Disaster Recovery
One of the unique features of the project is its disaster recovery scheme based on blockchain standards:
During initialization (--bootstrap), the master generates a 24-word mnemonic seed phrase (BIP-39 seed phrase).
The master's private key is never written to the disk in plaintext.

In the event that the master server is destroyed, any client node can be "promoted to master" using the --promote-to-master command by entering the 24 words. The root certificate will be restored byte-for-byte (with the exact same fingerprint). Existing clients will continue to trust the new master without reconfiguration, and the migration event itself is broadcast across the network as a packet signed with the Root CA's ECDSA key.

📦 Deployment
The project offers ready-made configurations for automation:

Ansible roles for deploying binaries and configuration files to multiple hosts with automatic fingerprint forwarding.

Docker / Docker Compose builds for containerized environments.

https://github.com/iskyneon/natssl

u/iskyneon — 12 days ago