Platform Features

Certificate operations first. Trust operations next.

CertLocker handles the certificate lifecycle from issuance to delivery and live verification, then extends the same control model to secrets, scoped tokens, bastion access, and audit evidence.

🔒 Certificate Lifecycle

Automated from issuance to expiry

Stop treating certificate renewal as a manual task. CertLocker watches every certificate in your infrastructure, renews them automatically before they expire, and keeps a complete audit trail of every change.

  • Automated renewal — certificates renew 30 days before expiry, with no human in the loop
  • Certificate-scoped access keys — each machine gets a token scoped to exactly the cert it needs
  • Full audit trail — every issuance, renewal, and revocation is logged with timestamp and actor
  • Expiry alerting — know about expiring certs weeks before they become incidents
Certificate Lifecycle Details →
CertLocker certificate inventory — status and expiry in one view

Open full-size screenshot

🚀 Certificate Delivery

Certs that actually arrive where needed

Issuing a certificate is only half the job. CertLocker delivers renewed certs to the right machines automatically — no manual SCP, no Ansible playbooks that only run when someone remembers.

  • Pull-based delivery — machines fetch their own cert using scoped tokens, no push required
  • Format-aware — delivers PEM, PKCS#12, or DER depending on what each target needs
  • Reload hooks — trigger service reloads automatically after cert delivery
Certificate Delivery Details →
CertLocker access tokens for scoped certificate retrieval

Open full-size screenshot

🔑 Just-in-Time SSH

Access that expires. Trust that stays.

Permanent SSH keys are a liability. Every PEM file on a laptop is a credential waiting to be stolen. CertLocker's JIT SSH model means access is issued for a session, scoped to a target, and automatically revoked when done.

  • Token-based access — issue SSH tokens per session, not per user permanently
  • Instant revocation — kill access in seconds when a laptop is lost or an employee leaves
  • Works with legacy infra — no agent required on target hosts, works with standard SSH
  • Full access log — who connected, from where, to what, and when
JIT SSH Details →
CertLocker bastion environments and SSH access overview

Open full-size screenshot

Built on least-privilege

Every CertLocker token is scoped to exactly what it needs. Machines get access to one certificate. SSH sessions get access to one host. Nothing more, ever.

Certificate-scoped tokens

One token. One cert. Compromise one machine, lose nothing else.

Time-limited credentials

SSH tokens expire. Certs rotate. Nothing stale accumulates.

Complete audit trail

Every access event logged. Compliance-ready from day one.

Ready to automate your cert infrastructure?

Join infrastructure teams using CertLocker to govern certificate operations and the trust workflows around them.