Comparisons
CertLocker is not trying to replace every CA, SSH tool, or secrets platform. It gives teams a trust control plane for certificate operations, ACME delivery, secrets, host access, endpoint verification, and audit evidence. These comparisons show where it fits.
Vault is powerful general-purpose secrets infrastructure. CertLocker is focused on operational trust workflows: certificates, ACME delivery, secrets, host access, and audit.
Best when comparing: operating complexity, PKI workflows, built-in delivery, and SSH scope.
Likely buyer: platform or security team evaluating Vault overhead.
Certbot is excellent for issuing a certificate on a server. CertLocker is for teams that need inventory, scoped delivery, endpoint verification, and audit across many systems.
Best when comparing: single-server renewal versus team-wide certificate operations.
Likely buyer: DevOps team outgrowing scripts and per-host cert management.
AWS ACM is strong inside AWS-managed services. CertLocker fits hybrid, multi-cloud, on-prem, host-level, and non-AWS infrastructure that still needs governed TLS.
Best when comparing: AWS-only certificates versus infrastructure-wide trust control.
Likely buyer: team running AWS plus Nginx, HAProxy, Windows, OpenVPN, or bare metal.
The same team may use a CA, an ACME client, a cloud certificate service, a secrets platform, and SSH tooling. CertLocker sits where those trust workflows need control, delivery, and evidence.
| Decision | Use the existing tool when... | Use CertLocker when... |
|---|---|---|
| Issuing a public cert | A CA or ACME client can issue and install it on one public server. | The team needs inventory, scoped delivery, live verification, and audit across many systems. |
| Running a secrets platform | Vault or another platform already owns all secrets and the team can operate it well. | Certificates, PEM material, operational secrets, SSH access, and audit need a simpler trust workflow. |
| AWS-managed TLS | All TLS terminates on AWS services that ACM directly supports. | Infrastructure spans hosts, clouds, load balancers, Windows, OpenVPN, or on-prem systems. |
| SSH access | Permanent keys and existing bastions are acceptable for the risk model. | Access should be time-limited, scoped to hosts, revocable, and logged with other trust events. |
Join early access and compare your current certificate, secrets, and SSH setup against CertLocker.