Blog
Practical guides on TLS cert lifecycle, SSH access security, and infrastructure automation. Written for DevOps engineers, SREs, and platform teams.
Part two of the Ansible secrets migration: repeatable inventory uploads, lookup-only vault files, SSH PEM sync, Postgres TLS from CertLocker, and safer Docker deploy behavior.
Part two of the CertLocker ACME video walkthrough: renewal, scoped certificate tokens, ACME delivery, audit trails, and the checks infrastructure teams should run before trusting automation.
How we moved our own deployment secrets out of Ansible Vault and into CertLocker using Gateway automation tokens, stable names, groups, PEM assets, and a purpose-built Ansible collection.
14+ issuers, one workflow: live ACME state, DNS automation, inventory, and certificate tokens for HAProxy, win-acme, and every RFC 8555 client.
Open a scoped token and get a live shell on your phone—no separate SSH app. Dashboard, tokens, and in-browser terminal on a narrow viewport.
A transparent engineering update on ACME workflow visibility, AWS and OpenStack host imports, HAProxy routing fixes, Pebble test infrastructure, and deployment hardening shipped in mid-May 2026.
A field report from getting HAProxy 3.3 native ACME working against CertLocker, including reuse-key, crt-store, bootstrap certificates, admin socket races, and nonce handling.
A practical walkthrough for using CertLocker as an ACME endpoint with win-acme on Windows IIS, including token setup, certificate install, IIS binding, renewal task creation, and audit verification.
The CA/Browser Forum is cutting maximum TLS certificate lifetimes to 47 days by 2029. The first cut already happened. Here's what the full timeline means and what you need to change before the next one.
TLS certificate management is the full lifecycle of every certificate in your infrastructure — not just renewal. Here's what all seven stages look like and where most teams have gaps.
Modern infrastructure runs multiple TLS certificates simultaneously, each answering a different trust question. Here's why the single-cert mental model breaks down and how to reason about it correctly.
An incomplete certificate chain is the most common reason a valid cert still causes TLS errors. Here's exactly what HAProxy and IIS each need, how to diagnose chain problems, and how ACME tooling eliminates the manual work.
The real reason cert expiry incidents keep happening isn't carelessness — it's that manual tracking doesn't scale. Here's what breaks down and how automated lifecycle management solves it.
How to build a certificate rotation process that doesn't fall apart at 3am. From rotation windows to delivery hooks to scoped access — what good looks like at scale.
Permanent SSH keys create standing access that never expires. JIT SSH fixes this with time-limited, scoped credentials that revoke instantly — here's why it matters.
Managing 10 certs is easy. Managing 200 across three environments and two clouds is a different problem entirely. This is how teams make the transition from manual to automated.
Vault's PKI engine works — but operating a Vault cluster is significant overhead. If certificate management is your primary need, there's a lighter path.
HAProxy is a strong place to terminate TLS, but it concentrates certificate risk. Here is what HAProxy needs and how ACME delivery reduces manual renewal work.
Port 80 handles HTTP and port 443 handles HTTPS, but certificate automation changes how teams should think about redirects, validation, probes, and monitoring.
Root and intermediate certificates define the TLS trust path. Learn why chain delivery matters, how intermediate changes break deployments, and how automation reduces mistakes.
CRLs and OCSP are revocation mechanisms, but neither removes the need for short lifetimes, inventory, and automated replacement.
HSTS forces browsers onto HTTPS. That improves security, but it also makes certificate reliability non-negotiable.
Mutual TLS authenticates both sides of a connection with certificates. Learn where mTLS fits and why certificate lifecycle management matters.
Join teams using CertLocker to govern certificate operations and infrastructure trust workflows.