By now you've probably heard, used and become very familiar with Let's Encrypt. I'd like to personally thank them for helping make my life easier. Thank you Let's Encrypt! The time I have saved not having to create CSRs, request new certificates (or maybe just add a SAN), upload CSRs, go through validation/approval, wait for issuance, then finally apply the certificate, is time earned. Thank you to the various ACME clients out there as well. You’ve saved me time by allowing me to actually use the Let’s Encrypt certificates over the years.
As a user of Let's Encrypt certificates, I quickly began using their certificates everywhere I could. It just made everything easier. Like many of you, I began by using various ACME clients out there. From certbot and WACS, to the lesser known ones.
When you have a few sites, things are pretty low maintenance. Just become familiar with Let's Encrypt, pick an ACME client, read their docs, fire things up, set and forget. That's how things are for the most part. As things evolve, however, things become a little more complicated. When dealing with dozens of domains, servers, disparate systems, load balancers, proxies, cloud infrastructure, you begin running into some problems. Maybe an ACME client fails to automatically renew for some reason, perhaps due to a bug in an updated version of the client. Or, maybe a configuration change in some cloud infrastructure causes the client to fail. Obtaining and sharing certificates between machines behind a load balancer can also add complexity and issues of their own.
Certera aims to solve these problems and make using Let's Encrypt certificates even easier. Certera is PKI for Let's Encrypt certificates. Let me explain what that really means. Today, using the various ACME clients, the keys and certificates generated are spread across various systems. Validation and issuance happen across many systems. Certera centralizes all of that. Let's Encrypt coined the term "Central Validation Server" . The concept, as they explained, is to delegate the responsibility of validation and issuance to a server (or servers). In essence, creating a central "place to store certificates and keys durably". When I first read this, I didn't think much of it. I thought that things were fine as they were with my limited number of domains and clients working flawlessly. Then, as I ran into the issues I outlined above, the thought came back to me that some of these problems could be solved by separating the validation and issuance of certificates from actually applying the certificates. If a central validation server could obtain the certificate, I wouldn't need to worry about installing, configuring and managing numerous (and various) ACME clients. I would no longer have to deal with custom scripts to make things work behind load balancers and web farms. A single server that can track, monitor, issue, renew all of my certificates sounded like the solution. That's when Certera was born.
With Certera, you can securely store your keys and certificates in a central place and much more. You can control key pinning and key rotations. You can track, monitor and receive notifications for certificate expiration and changes. Certera also exposes an API where you can retrieve the keys and certificates to apply to various systems. A single cURL to get your certificate means being able to apply that certificate to any number of servers easily, when and how you want.
curl https://<your_certera_site_hostname>/api/certificate/<certificate_name> \ -H "apiKey:<your_api_key>"
You also can more easily comply with rate limits set by Let's Encrypt. Some ACME clients acquire and apply the certificate in one step. If applying the certificate fails, you may end up re-acquiring a new certificate each time in an attempt to resolve your issue.
Certera is a cross platform, self-hosted, web application. Because keys and certificates are stored in a single place, it's a target for attack. Which is why Let's Encrypt say "you should protect that server well" . For that, and other reasons, when creating Certera, it was decided that it wouldn't be a cloud-based SaaS. It certainly could have been one from a design perspective. It would have made delivering features and updates much more friction-less. It would have also meant you could begin using it immediately without having to download, install and operate your own instance. With your own instance, however, you get the benefits of ensuring security, isolating it from anything and everything you decide is a threat. Because this is security software, it is important that you have full control and transparency.
So, with all that said, I'm happy to have introduced you to Certera. It is currently in open beta; come read the docs, try things out, give feedback and help make free certificates for all even better.