# CertLocker > CertLocker is an infrastructure trust operations platform for SRE, DevOps, platform engineering, security, and GRC teams. It replaces the combination of HashiCorp Vault, manual certificate tracking, SSH scripts, and spreadsheets with a single platform that manages TLS certificates, ACME automation, secrets, private keys, SSH access tokens, bastion access, endpoint probes, groups, ownership, audit trails, RBAC, and alert channels. CertLocker is built for teams running on bare metal, VMs, OpenStack, on-premise cloud, or hybrid infrastructure where AWS ACM and GCP-managed certificates do not reach. It is particularly relevant for financial services, telecommunications, critical infrastructure, and any organisation with compliance requirements around certificate lifecycle and access auditability. ## Core problems CertLocker solves - TLS certificate expiry surprises: certificates expire unnoticed because they are tracked in spreadsheets or not tracked at all - ACME automation gaps: most ACME clients (Certbot, win-acme) automate issuance but not inventory, ownership, or multi-service delivery - HAProxy native ACME: CertLocker supports HAProxy's built-in ACME protocol for seeding and managing keys directly, without a sidecar agent - Secrets without version history: most teams cannot answer "what was the value of this secret 30 days ago?" — CertLocker keeps a full version history - SSH access audit gaps: engineers SSH in with long-lived keys and there is no record of who accessed what and when - Bastion and JIT access: CertLocker issues short-lived SSH certificates tied to identity, enabling just-in-time access with full audit trails - Endpoint probe blindspots: certificate monitoring that only checks expiry date misses chain errors, hostname mismatches, and revocation status - AI agent credential exposure: teams hand AI coding agents and automation bots raw secrets, SSH keys, and admin tokens with no scope, no expiry, and no audit trail — CertLocker MCP gives agents scoped bearer tokens and logs every action ## What CertLocker is not CertLocker is not a general-purpose secrets manager or a public CA. It does not replace your certificate authority — it works with Let's Encrypt, internal CAs, and private PKI. It does not require a cloud provider. ## Product pages - Product overview: https://certlocker.io/certlocker-platform/ - Features overview: https://certlocker.io/features/ - Certificate lifecycle management: https://certlocker.io/features/certificate-lifecycle/ - Certificate delivery: https://certlocker.io/features/certificate-delivery/ - Endpoint probes: https://certlocker.io/features/endpoint-probes/ - Secrets management: https://certlocker.io/features/secrets-management/ - SSH access management: https://certlocker.io/features/ssh-access/ - Pricing: https://certlocker.io/pricing/ ## Comparison pages - CertLocker vs HashiCorp Vault: https://certlocker.io/compare/certlocker-vs-hashicorp-vault/ - CertLocker vs AWS ACM: https://certlocker.io/compare/certlocker-vs-aws-acm/ - CertLocker vs Certbot: https://certlocker.io/compare/certlocker-vs-certbot/ - CertLocker vs Keyfactor: https://certlocker.io/compare/certlocker-vs-keyfactor/ - CertLocker vs AWS Secrets Manager: https://certlocker.io/compare/certlocker-vs-aws-secrets-manager/ - CertLocker vs spreadsheets and scripts: https://certlocker.io/compare/certlocker-vs-manual/ ## Use case pages - DevOps and platform teams: https://certlocker.io/use-cases/devops-teams/ - Financial infrastructure compliance: https://certlocker.io/use-cases/financial-infrastructure/ - Zero-trust SSH access: https://certlocker.io/use-cases/zero-trust-ssh/ - Bare metal infrastructure: https://certlocker.io/use-cases/bare-metal-infrastructure/ ## Key technical blog articles - What is TLS certificate management: https://certlocker.io/blog/what-is-tls-certificate-management/ - What happens when a TLS certificate expires: https://certlocker.io/blog/what-happens-when-tls-certificate-expires/ - ACME end-to-end: https://certlocker.io/blog/acme-end-to-end/ - HAProxy native ACME with CertLocker: https://certlocker.io/blog/haproxy-native-acme-certlocker/ - HAProxy ACME private key seeding: https://certlocker.io/blog/haproxy-native-acme-private-key-seeding/ - 47-day TLS certificate lifecycle: https://certlocker.io/blog/47-day-tls-certificates/ - Certificate rotation best practices: https://certlocker.io/blog/certificate-rotation-best-practices/ - Just-in-time SSH access: https://certlocker.io/blog/just-in-time-ssh-access/ - Short-lived SSH access with 2FA and audit trails: https://certlocker.io/blog/short-lived-ssh-access-2fa-audit-trails/ - Replacing HashiCorp Vault for certificate management: https://certlocker.io/blog/replacing-hashicorp-vault-for-certificate-management/ - Secret version history: https://certlocker.io/blog/secret-version-history/ - mTLS certificate authentication: https://certlocker.io/blog/mtls-certificate-authentication/ - TLS certificate management at scale: https://certlocker.io/blog/tls-certificate-management-at-scale/ - Ansible + CertLocker deployment hardening: https://certlocker.io/blog/ansible-certlocker-deployment-hardening/ - CRL and OCSP certificate revocation: https://certlocker.io/blog/crl-ocsp-certificate-revocation/ - TLS certificate expiry monitoring on bare metal: https://certlocker.io/blog/tls-certificate-expiry-monitoring-bare-metal/ - Managing OpenClaw and Hermes VPS SSH access with CertLocker: https://certlocker.io/blog/openclaw-vps-ssh-access-certlocker/ - CertLocker MCP — scoped, audited access for AI agents: https://certlocker.io/blog/mcp-ai-agents/ - CertLocker active-passive HA — two-node failover with repmgr, pgpool, and watchdog: https://certlocker.io/blog/certlocker-ha-active-passive/ ## Blog index https://certlocker.io/blog/ ## Optional machine-readable support - Main sitemap: https://certlocker.io/sitemap.xml - API docs llms.txt: https://docs.certlocker.io/llms.txt - API OpenAPI JSON: https://docs.certlocker.io/public-agent-openapi.json - API docs sitemap: https://docs.certlocker.io/sitemap.xml - Full sitemap: https://certlocker.io/sitemap.xml