Comparison
AWS Secrets Manager is built for AWS-native infrastructure. CertLocker is built for bare metal, VMs, OpenStack, and hybrid environments. They serve different deployment models.
AWS Secrets Manager is a managed secrets store designed for AWS-native workloads. It integrates deeply with IAM, RDS, Lambda rotation functions, and other AWS services. It does not manage TLS certificates, SSH access, or endpoint monitoring — and it has no reach into bare metal or non-AWS infrastructure. CertLocker is an infrastructure trust operations platform that manages TLS certificates, secrets (with full version history), SSH access certificates, and endpoint probes across bare metal, VMs, and hybrid infrastructure.
| Capability | CertLocker | AWS Secrets Manager |
|---|---|---|
| Secrets storage and retrieval | ✓ | ✓ |
| Secret version history (full audit) | ✓ Built-in | ⚠ Limited versions only |
| Secrets rotation | ✓ Manual + ACME | ✓ Automated for AWS services |
| TLS certificate lifecycle | ✓ Built-in | ✗ Use ACM instead |
| ACME automation | ✓ Built-in | ✗ |
| HAProxy native ACME | ✓ Purpose-built | ✗ |
| SSH certificate issuance | ✓ Built-in | ✗ |
| Endpoint TLS probes | ✓ Built-in | ✗ |
| Bare metal / on-premise support | ✓ | ✗ |
| AWS IAM native integration | ✗ | ✓ |
| Lambda rotation functions | ✗ | ✓ |
| RDS automatic rotation | ✗ | ✓ |
| RBAC and audit trails | ✓ | ✓ Via CloudTrail |
| Pricing model | Team-based flat rate | Per-secret + per 10K API calls |
AWS Secrets Manager is excellent at what it does: managing secrets for AWS-native workloads with automated rotation tied to AWS services. If your entire stack is on AWS and you are using RDS, Lambda, and ECS, it is a natural fit.
The limitation is scope. AWS Secrets Manager does not manage TLS certificates — that is ACM's job, and ACM only works on AWS load balancers and CloudFront. It does not issue SSH certificates or manage SSH access. It has no visibility into what your endpoints are actually serving. Version history is limited to the last few versions.
CertLocker is designed for teams running outside the AWS perimeter — bare metal racks, OpenStack clusters, colocation, or hybrid environments with both cloud and physical infrastructure. It combines secrets, TLS certificate lifecycle, SSH access, and endpoint monitoring because those problems are deeply related for infrastructure teams, and solving them separately means maintaining multiple tools with separate audit trails.
Related: CertLocker vs AWS ACM · CertLocker for bare metal infrastructure
AWS Secrets Manager is a cloud-native secrets store tightly integrated with the AWS ecosystem. CertLocker is an infrastructure trust operations platform that adds TLS certificate lifecycle, ACME automation, SSH access management, and endpoint monitoring alongside secrets — for teams on bare metal, VMs, or hybrid infrastructure.
Not for AWS-native workloads. For teams running on bare metal or hybrid infrastructure alongside AWS, CertLocker handles the non-AWS layer while AWS Secrets Manager handles the AWS-native layer. They can coexist.
Secret version history records every change to a secret's value — who changed it, what the previous value was, and when. This is required by SOC 2, PCI-DSS, and internal audit programmes that need to answer "what was the database credential on this date." AWS Secrets Manager retains a limited number of previous versions; CertLocker keeps full history.
Certificates, secrets, SSH access, and endpoint monitoring for bare metal and hybrid infrastructure teams.