CertDax is a modern dashboard for managing SSL certificates. Automated ACME requests, deploy agents, Kubernetes operator, email notifications, SSO β everything you need, in one place.
From requesting to deploying β CertDax handles the entire certificate lifecycle.
Automatically request and renew certificates from Let's Encrypt and other ACME-compatible Certificate Authorities.
Cloudflare, TransIP, Hetzner, DigitalOcean, Vultr, OVH, AWS Route 53, Google Cloud DNS, and manual validation.
Lightweight Go binary that runs on any Linux distro. Auto-deploy certificates to servers with zero downtime.
Native K8s operator with Helm chart. Deploy certificates as TLS Secrets directly from the dashboard β fully automated.
Customizable templates for every certificate event: requested, issued, renewed, expired, errors, and more.
Single sign-on via any OpenID Connect provider. Groups, permissions, and cross-group resource sharing built in.
API key authentication, complete endpoint coverage. Automate everything with scripts or integrate into your CI/CD.
Generate self-signed certificates with custom OIDs for internal services, development, and testing environments.
Set it and forget it. CertDax automatically renews certificates before they expire β no manual intervention required.
Group agents together and deploy certificates to all members at once. Perfect for load balancers and clusters.
Every private key, app secret and mTLS credential lives in OpenBao (Vault-compatible). Transit encryption, internal PKI and Kubernetes-auth — built in, not bolted on.
A clean stack designed for reliability, performance, and easy deployment.
Modern frontend with Tailwind CSS and Recharts for a responsive, real-time dashboard.
High-performance Python backend with async support, SQLAlchemy ORM, and automatic API docs.
Statically compiled, zero dependencies. Ships as a single binary for 4 architectures.
Custom CRD, Helm chart, dashboard-driven deployments. Syncs TLS secrets automatically.
Multi-stage builds, Docker Compose, ready for Swarm and Kubernetes.
Production database with SQLite support for development. Automatic migrations.
Vault-compatible secrets engine ships with the chart. Transit encryption, internal PKI and KV v2 — auto-bootstrapped on install.
Customer keys encrypted via Vault Transit, mTLS for agents and operators, bcrypt passwords, JWT auth, audit log, non-root containers.
Automatic DNS-01 challenge validation with all major providers.
Deploy and manage TLS certificates in your clusters β straight from the CertDax dashboard.
One-command install via helm install. Configurable namespace, RBAC, and image settings out of the box.
Select a certificate in the UI, pick a namespace and secret name β the operator creates the TLS Secret automatically.
Certificates are synced on a configurable interval. When CertDax renews a cert, the K8s Secret updates automatically.
Heartbeat reporting, operator logs, CPU & memory usage, managed certificate status β all visible in the dashboard.
Detects which Ingresses and Traefik IngressRoutes reference your TLS Secrets β visible per certificate.
Custom CertDaxCertificate CRD. Works alongside manual CRs β the operator only manages what you deploy from the UI.
The operator authenticates to CertDax with a Vault-issued mTLS client cert (RFC 0001 Β§6.3). Single-use AppRole wrap-tokens replace long-lived bearer tokens.
Deploy CertDax in minutes. Free, open source, and self-hosted.