For individuals managing personal projects or those responsible for IT operations in small businesses who need to manage multiple domain names, applying for certificates manually comes with several drawbacks:
- 😱Troublesome: Applying for and deploying certificates isn’t difficult, but it can be quite a hassle, especially when managing multiple domains.
- 😭Easily forgotten: The current free certificate has a validity period of only 90 days, requiring regular renewal operations. This increases the workload and makes it easy to forget, which can result in the website becoming inaccessible.
Certimate was created to solve the above-mentioned issues and has the following features:
- Simple operation: Automatically apply, deploy, and renew SSL certificates without any manual intervention.
- Support for self-hosted deployment: The deployment method is simple; you only need to download the binary file and execute it. Both the binary files and Docker images are generated using GitHub Actions, ensuring a transparent process that can be audited independently.
- Data security: Since it is a self-hosted deployment, all data is stored locally and will not be saved on the service provider’s servers, ensuring the security of the data.
Related articles:
Certimate aims to provide users with a secure and user-friendly SSL certificate management solution. For usage documentation, please visit https://docs.certimate.me.
Installing Certimate is very simple, you can choose one of the following methods for installation:
You can download the precompiled binary files directly from the Releases page, and after extracting them, execute:
./certimate serveOr run the following command to automatically add a certificate to Certimate itself.
./certimate serve yourDomainNote
When executing the binary file on macOS, you may see a prompt saying: “Cannot open ‘certimate’ because Apple cannot check it for malicious software.” You can go to System Preferences > Security & Privacy > General, then click “Allow Anyway,” and try executing the binary file again.
mkdir -p ~/.certimate && cd ~/.certimate && curl -O https://raw.githubusercontent.com/usual2970/certimate/refs/heads/main/docker/docker-compose.yml && docker compose up -d
git clone EMAIL:usual2970/certimate.git
cd certimate
make local.runAfter completing the installation steps above, you can access the Certimate management page by visiting http://127.0.0.1:8090 in your browser.
username:[email protected]
password:1234567890
| Provider | Registration | Deployment | Remarks |
|---|---|---|---|
| Alibaba Cloud | √ | √ | Supports domains registered on Alibaba Cloud; supports deployment to Alibaba Cloud OSS, CDN,SLB |
| Tencent Cloud | √ | √ | Supports domains registered on Tencent Cloud; supports deployment to Tencent Cloud COS, CDN, ECDN, CLB, TEO |
| Baidu Cloud | √ | Supports deployment to Baidu Cloud CDN | |
| Huawei Cloud | √ | √ | Supports domains registered on Huawei Cloud; supports deployment to Huawei Cloud CDN, ELB |
| Qiniu Cloud | √ | Supports deployment to Qiniu Cloud CDN | |
| Doge Cloud | √ | Supports deployment to Doge Cloud CDN | |
| Volcengine | √ | √ | Supports domains registered on Volcengine; supports deployment to Volcengine Live, CDN |
| AWS | √ | Supports domains managed on AWS Route53 | |
| CloudFlare | √ | Supports domains registered on CloudFlare; CloudFlare services come with SSL certificates | |
| GoDaddy | √ | Supports domains registered on GoDaddy | |
| Namesilo | √ | Supports domains registered on Namesilo | |
| PowerDNS | √ | Supports domains managed on PowerDNS | |
| HTTP Request | √ | Supports domains which allow managing DNS by HTTP request | |
| Local Deploy | √ | Supports deployment to local servers | |
| SSH | √ | Supports deployment to SSH servers | |
| Webhook | √ | Supports callback to Webhook | |
| Kubernetes | √ | Supports deployment to Kubernetes Secret |
The workflow of Certimate is as follows:
- Users fill in the certificate application information on the Certimate management page, including domain name, authorization information for the DNS provider, and authorization information for the service provider to deploy to.
- Certimate sends a request to the certificate vendor's API to apply for an SSL certificate.
- Certimate stores the certificate information, including the certificate content, private key, validity period, etc., and automatically renews the certificate when it is about to expire.
- Certimate sends a deployment request to the service provider's API to deploy the certificate to the service provider's servers.
This involves authorization information for the domain, DNS provider, and deployment service provider.
It involves the domain name for which the certificate is being requested.
To apply for a certificate for a domain, you need to prove that the domain belongs to you. Therefore, when manually applying for a certificate, you typically need to add a TXT record to the DNS records in the domain provider's control panel.
Certimate will automatically add a TXT record for you; you only need to fill in the authorization information for your DNS provider in the Certimate backend.
For example, if you purchased the domain from Alibaba Cloud, the authorization information would be as follows:
accessKeyId: your-access-key-id
accessKeySecret: your-access-key-secretIf you purchased the domain from Tencent Cloud, the authorization information would be as follows:
secretId: your-secret-id
secretKey: your-secret-keyNotes: This authorization information requires relevant administration permissions for accessing the DNS services. Please refer to the documentations of each service provider for the specific permissions list.
After Certimate applies for the certificate, it will automatically deploy the certificate to your specified target, such as Alibaba Cloud CDN. At this point, you need to fill in the authorization information for Alibaba Cloud. Certimate will use the authorization information and domain name you provided to locate the corresponding CDN service and deploy the certificate to that service.
The authorization information for the deployment service provider is the same as that for the DNS provider, with the distinction that the DNS provider's authorization information is used to prove that the domain belongs to you, while the deployment service provider's authorization information is used to provide authorization for the certificate deployment.
Notes: This authorization information requires relevant administration permissions to access the target deployment services. Please refer to the documentations of each service provider for the specific permissions list.
Q: Do you provide SaaS services?
A: No, we do not provide that. Currently, we only support self-hosted.
Q: Data Security?
A: Since only self-hosted is supported, all data is stored on the user’s server. Additionally, the source code of Certimate is open-source, and the packaging process for binary files and Docker images is entirely done using GitHub Actions. This process is transparent and visible, allowing for independent auditing.
Q: Automatic Certificate Renewal?
A: Certificates that have already been issued will be automatically renewed 10 days before expiration. The system checks once a day to see if any certificates are nearing expiration, and if so, it will automatically reapply for the certificate and deploy it to the target service.
Certimate is a free and open-source project, licensed under the MIT License. You can use it for anything you want, even offering it as a paid service to users.
You can support the development of Certimate in the following ways:
- Submit Code: If you find a bug or have new feature requests, and you have relevant experience, you can submit code to us.
- Submit an Issue: For feature suggestions or bugs, you can submit an issue to us.
Support for more service providers, UI enhancements, bug fixes, and documentation improvements are all welcome. We encourage everyone to submit pull requests (PRs).
This software is provided under the MIT License and distributed “as-is” without any warranty of any kind. The authors and contributors are not responsible for any damages or losses resulting from the use or inability to use this software, including but not limited to data loss, business interruption, or any other potential harm.
No Warranties: This software comes without any express or implied warranties, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
User Responsibility: By using this software, you agree to take full responsibility for any outcomes resulting from its use.
- Telegram-a new era of messaging
- Wechat Group
