Comparison

CertLocker vs Certbot

Certbot is an ACME client that works well on individual servers. CertLocker is a trust control plane for teams that need certificate inventory, scoped ACME delivery, endpoint verification, secrets, SSH access, and audit evidence across infrastructure.

Use Certbot when...

  • You're managing 1–5 servers with publicly accessible domains
  • Let's Encrypt is the only CA you need
  • You don't need a team dashboard or audit trail
  • Each server manages its own certs independently

Use CertLocker when...

  • You manage 10+ certs across multiple environments
  • You need one inventory of all certs with visibility across the team
  • Cert delivery needs to happen automatically after renewal
  • Your certs come from an internal CA, commercial CA, or mixed sources
  • SSH access management alongside cert management

Feature comparison

Feature CertLocker Certbot
Issues certs from Let's Encrypt ✗ (not a CA)
Stores certs from any CA (LE, internal, commercial)
Acts as ACME endpoint for your infrastructure
Centralized certificate inventory ✓ All certs in one place ✗ Per-server only
Team visibility & audit trail
Scoped token delivery via ACME
HAProxy native ACME support ✓ Gateway speaks ACME
WIN-ACME / IIS support ✓ via ACME endpoint
SSH access management
Multi-environment support
Certificate-scoped access tokens
Cost TBD (early access) ✓ Free / open source

Different tools for different problems

Certbot and CertLocker aren't quite competitors — they solve different problems. Certbot is an ACME client: it talks to Let's Encrypt, handles the domain validation challenge, gets the cert issued, and installs it on the local server. That's the complete loop, and it works well for a single server with a publicly reachable domain.

CertLocker is an ACME server endpoint and certificate vault. You upload or manage certificates in CertLocker, then deliver them to infrastructure via ACME. HAProxy's native ACME client, win-acme on IIS, or any standards-compliant client points at CertLocker's gateway and pulls its certificate automatically.

The benefit for teams: centralized inventory with scoped access tokens, one view across certs and environments, and delivery that works even for infrastructure that isn't publicly reachable for ACME validation. CertLocker is not a replacement for every issuance path — it is the layer that controls how certificates, secrets, and access get distributed and audited.

One control plane. Scoped delivery. Full audit.

Use ACME where it already fits, then add the team inventory, verification, secrets, and access control Certbot was never meant to provide.