Scroll

Self-hosted · Enterprise · On-Premise

Certificate lifecycle on autopilot.

Discover certificates across your network, automate issuance and renewal via ACME and Microsoft AD CS, and distribute to your entire infrastructure. One platform, zero missed renewals.

Get started → Explore features

190+REST endpoints

10CA providers

12DNS providers

10Distribution targets

99.99%Renewal SLA

47-daySC-081 Ready

PQCAssessment

AES-256Envelope encryption

PKCS#11HSM support

certautopilot.local/dashboard

Real-time overview with CA usage breakdown, renewal trends, and action items

Features

Everything you need for certificate management.

From issuance to distribution, CertAutoPilot handles the full certificate lifecycle with enterprise-grade security and compliance.

Certificate Lifecycle Automation

Automated issuance, renewal, and revocation via ACME v2 and Microsoft AD CS. Supports Let's Encrypt, Google Trust Services, Sectigo, DigiCert, and more.

ACME v2CES/CEPWSTEP10 CAs

Certificate Discovery

Scan networks and monitor CT logs to build a complete inventory. Automated security findings, drift detection, OCSP/CRL checking, and managed transition.

CIDR scanCT logOCSP/CRLPQC

Multi-Target Distribution

Deploy certificates to 10 built-in targets with fan-out execution, dry-run validation, and automatic rollback. Agentless architecture — no agents to install.

SSHK8sIISF5Vault

Approval Workflows

Request/approve/reject flow with preflight warnings and governance controls. Self-approval blocked. Integrated with the notification system.

RBACPreflight

Multi-Tenant RBAC

Owner, Admin, Operator, Viewer hierarchy with project-scoped permissions. LDAP/AD integration, 2FA, JWT with refresh-token reuse detection.

4-tierLDAP/AD2FA

Domain Monitoring

WHOIS expiry tracking, SPF/DMARC/DNSSEC health checks, and DNS propagation monitoring across your domain inventory.

WHOISDMARCDNSSEC

Tamper-Proof Audit

HMAC-chain integrity verification on all audit entries. Event sourcing for complete certificate lifecycle timeline. RFC 5424 syslog forwarding.

HMAC chainSyslogSIEM

Dashboard & Observability

Prometheus metrics, OpenTelemetry tracing, and 47-day readiness scoring. CA usage breakdown, renewal trends, and live action items.

PrometheusOTelSC-081

API & Automation

190+ REST API endpoints with scoped API keys, Go template variables, webhook events, and full CI/CD integration. Everything in the UI is in the API.

RESTWebhooksGo templates

PQC Readiness

Classify Post-Quantum Cryptography readiness per certificate across your inventory. Identify which certs are vulnerable today and plan migration.

Per-certClassify

Envelope Encryption

AES-256-GCM with per-field DEK/KEK architecture. Private keys, credentials, and secrets encrypted at rest with versioned key management.

AES-256-GCMDEK/KEK

Smart Notifications

Email, Slack, and Microsoft Teams alerts for 18 event types with templates. Renewal failures, expiry windows, distribution status, audit events.

EmailSlackTeams

Discovery & Visibility

Find every certificate in your network.

Scan networks, monitor Certificate Transparency logs, and check OCSP/CRL revocation status. Identify risks, track changes, and transition to managed lifecycle.

Network Scanning

Define IP ranges and ports. The discovery engine connects to each endpoint, retrieves TLS certificates, and builds a real-time inventory with cipher suite analysis.

Security Findings

Actionable findings with severity levels and remediation guidance. Weak ciphers, deprecated TLS, expiring certificates, and PQC vulnerability assessment.

Drift Detection

Schedule recurring scans to detect certificate replacements, issuer changes, and key rotations. Track change history and get notified on drift events.

certificate-discovery live

How it works

From configuration to delivery.

Set it up once. CertAutoPilot handles the rest — continuously, reliably.

Discover & Configure

Scan your network for existing certificates. Configure CA providers, DNS credentials, and distribution targets.

→

Issue Certificates

Request certificates via ACME or Microsoft AD CS with policy enforcement and optional approval workflows.

→

Distribute

Deploy to SSH, Kubernetes, IIS, F5, NetScaler, Vault, and cloud providers with dry-run validation.

→

Auto-Renew

The scheduler monitors expiry windows and automatically renews and redistributes before certificates expire.

↻

Ecosystem

Certificate authorities, DNS providers,
and native integrations.

Connect to your existing infrastructure with native integrations — no adapters or agents required.

— Certificate Authorities

⚿

Let's EncryptFree DV · ACME

Google TrustEAB auth

SectigoDV · OV · EV

DigiCertIndustry CA

◈

GlobalSignAtlas ACME

SSL.comDV · ACME

ZeroSSLFree 90-day DV

ActalisEuropean CA

⌂

GoDaddyDV ACME

Microsoft AD CSCES/CEP · WSTEP

— DNS Providers for Challenge Validation

Cloudflare

AWS Route 53

Google Cloud DNS

Azure DNS

DigitalOcean

GoDaddy

Lightsail

UltraDNS

Akamai EdgeDNS

Hetzner

OVH

Namecheap

— Distribution Targets

SSH

Kubernetes

IIS

Windows · WinRM

F5 BIG-IP

Citrix NetScaler

HashiCorp Vault

Huawei Cloud

Webhook

Email · SMTP

— Integrations & Observability

Slack

Microsoft Teams

Prometheus

OpenTelemetry

Syslog · SIEM

Comparison

How CertAutoPilot stacks up.

Self-hosted, agentless, and built for the post-quantum, 47-day-renewal era.

Feature	CertAutoPilot	Venafi TLS Protect	Sectigo CM	ManageEngine KMP
Self-Hosted / On-Premise	✓	✓	Cloud only	✓
ACME Protocol	✓	✓	✓	✗
Microsoft AD CS	✓	✓	✗	✓
Distribution Modules	10 built-in	Custom adapters	Limited	Agent-based
SSH · K8s · IIS · WinRM · F5 · NetScaler · Vault · Webhook · Huawei · SMTP	✓ All native	Partial	✗	Partial
Certificate Discovery	✓	✓	✓	✓
47-Day Readiness (SC-081)	✓	✗	✗	✗
PQC Readiness Assessment	✓	Roadmap	✗	✗
Agentless Architecture	✓	Agent required	✓	Agent required
HSM Key Storage (PKCS#11)	✓ SoftHSM2 / CloudHSM / Luna / Fortanix	Paid tier	Cloud-managed only	✗
KEK Rotation (Fleet-Aware)	✓ Zero-downtime	Paid tier	✗	✗

FAQ

Frequently asked questions.

What infrastructure does CertAutoPilot require?+

CertAutoPilot requires MongoDB 6.0+ as its primary data store. The application runs as a single Go binary that can operate in three modes: API server, worker, and scheduler. For small deployments, run all three modes in a single instance. For high availability, deploy each mode separately with MongoDB replica sets. Docker images and docker-compose configurations are provided.

Can it run in air-gapped environments?+

Yes. CertAutoPilot is fully self-hosted with no external service dependencies. For certificate issuance in air-gapped environments, use Microsoft AD CS (internal CA) instead of public ACME providers. All data stays within your network. SSRF protection prevents unintended outbound connections.

How are private keys and credentials stored?+

All sensitive data is encrypted using envelope encryption: each field gets a random AES-256-GCM data encryption key (DEK), which is itself encrypted by a key encryption key (KEK). The KEK version is tracked per record for seamless key rotation. Private keys are stored in a separate collection from certificates, and credentials use the same envelope encryption pattern.

How does certificate distribution work?+

Distribution uses a module system with 8 built-in targets: SSH, Kubernetes, IIS (via WinRM), F5 BIG-IP, Citrix NetScaler, HashiCorp Vault, Huawei Cloud (ELB/CDN/WAF), and Webhook. Each module supports Execute, DryRun, Validate, and Rollback operations. Large distributions automatically use fan-out execution — splitting targets into batches with configurable concurrency. Post-distribution validation verifies certificate deployment via TLS fingerprint checks.

What happens when a renewal fails?+

The scheduler automatically retries failed renewals with exponential backoff. Notifications are sent via your configured channels (Email, Slack, Microsoft Teams) when renewals fail or when certificates approach critical expiration windows. The dashboard shows real-time renewal status, and the 47-day readiness score tracks your automation coverage.

Does it support approval workflows?+

Yes. Certificate operations can require approval before execution. Operators submit requests with preflight warnings, and designated approvers can approve or reject with comments. Self-approval is blocked. The approval workflow integrates with the notification system so approvers are alerted immediately.

What about API access and automation?+

CertAutoPilot exposes 190+ REST API endpoints under /api/v1. API keys can be scoped per project with configurable expiration and rate limiting. Go template variables are available for dynamic configuration. All operations available in the UI are also available via API, enabling full CI/CD integration.

How does certificate discovery work?+

Define discovery sources with CIDR ranges, hostnames, and port lists. The scanner connects to each endpoint, performs a TLS handshake, and captures the certificate chain with cipher suite information. Results are stored as an inventory with security findings (weak ciphers, deprecated TLS, self-signed certs, PQC vulnerability). Recurring scans detect drift — certificate replacements, issuer changes, and key rotations — with full change history per endpoint.

Ready to take off

Automate your certificates.
End the renewal panic.

See how CertAutoPilot can discover, manage, and distribute certificates across your entire infrastructure.

Get started → Contact sales