Run CertAutoPilot in production.

Quickstart

From zero to a renewed certificate in 15 minutes. Install, create an admin, register an ACME account, issue your first cert.

Start here

Concepts

Organizations, projects, RBAC, certificates, ACME accounts, zones, distribution targets — and how they relate.

Mental model

Architecture

API server, worker, scheduler, MongoDB. Process boundaries, encryption envelope, and the audit chain.

Internals

Standalone deployment

Single-binary installer for Ubuntu, Debian, RHEL, Rocky, Alma. nginx termination, local Mongo, secret bootstrap.

Bare metal

Docker Compose

Reference compose file for development and small production. Volumes, secrets, healthchecks, upgrade path.

Containers

Helm chart

Production Kubernetes deployment. Replica counts, PodDisruptionBudgets, ingress, secrets via External Secrets.

Kubernetes

High availability

Mongo replica set, multi-replica API, leader-elected scheduler, zero-downtime upgrades.

Resilience

ACME accounts

Let's Encrypt, Google Trust, ZeroSSL, Sectigo, SSL.com, GoDaddy, Actalis, GlobalSign, DigiCert. EAB binding.

10 CAs

Microsoft AD CS

CES/CEP and WSTEP enrollment for Windows-issued internal certificates. Templates, NTLM, mutual-TLS.

Internal CA

EAB-bound CAs

External Account Binding HMAC for Google Trust, ZeroSSL, SSL.com. Where to find KID and HMAC key per CA.

CA binding

DNS providers

Per-provider auth fields for Cloudflare, Route 53, Google Cloud DNS, Azure, DigitalOcean, OVH, and 6 more.

12 providers

Zones

How CertAutoPilot maps a domain to a credential. Multi-credential zones, delegated subdomains, CNAME aliasing.

Zone model

DNS-01 troubleshooting

Propagation, CNAME aliasing for restricted zones, stale TXT records, NS-glue mismatches, public-suffix edge cases.

When DNS hurts

Issuance walkthrough

Every form field on the New Certificate page. Key types, policy enforcement, SANs, manual DNS, CSR upload.

Issuance flow

Renewal & rotation

Renewal windows, exponential backoff, key rotation policies, post-renewal hooks, and the 47-day SC-081 readiness score.

Auto-renew

Certificate discovery

CIDR scanning, CT log monitoring, OCSP/CRL revocation checks, drift detection, and managed transition.

Inventory

Distribution overview

How modules work — Execute, DryRun, Validate, Rollback. Fan-out concurrency, batch sizing, post-distribution checks.

Module system

Distribution modules

Eleven built-in modules — SSH, Kubernetes, IIS, WinRM, F5 BIG-IP, Citrix NetScaler, HashiCorp Vault, Webhook, Huawei Cloud, SMTP. Per-module auth, file format, rollback semantics, and gotchas. Pick one from the sidebar.

Per-module guides

KEK rotation

Zero-downtime rotation, fleet awareness, MongoDB cursor strategy, rollback if a node disagrees on the new KEK.

Key hygiene

Notifications

18 event types, Email + Slack + Teams transports, templating with Go variables, dead-letter and quiet hours.

Alerting

Audit & SIEM

HMAC-chain integrity, RFC 5424 syslog forwarding, CEF formatting, retention policies, replay-and-verify CLI.

Forensics

Auth & RBAC

Four roles, two scopes. Local users, LDAP / AD federation, TOTP, API keys with peppered SHA-256, JWT cookies with refresh-token reuse detection.

Identity & access

Policies & approvals

Project-scoped certificate policy (key types, SAN globs, naming regex, auto-renew) plus the request / approve / reject workflow with self-approval blocked.

Governance

Distribution primitives

Path Sets, Action Sets, Module Credentials, Project Variables, Validation Endpoints, and Fan-out execution — the reusable objects every distribution composes from.

Building blocks

Observability

Prometheus metrics with recommended alerts, OpenTelemetry traces across HTTP and jobs, syslog (RFC 5424) forwarding for SIEM archival.

Signals

Configuration

config.yaml reference, CERTAUTOPILOT_* env overrides, TLS termination patterns (nginx + ingress), license activation and grace mode.

Configure the backend

Operations

Leader-elected scheduler, MongoDB-backed job queue with dead-letter, cluster instances view, domain tracking, and an incident runbook.

Day-2

Troubleshooting

Symptom-driven catalog. Bind ports, ACME 4xx replies, DNS challenge timeouts, distribution fan-out failures, audit drift.

Symptom index

CLI reference

Every certautopilot sub-command — kek rotate, setup, audit verify, kek pkcs11-init — with flags, examples, and exit codes.

Command index