AWS ACM and GCP Certificate Manager stop at the cloud perimeter. CertLocker manages TLS certificates, ACME automation, SSH access, secrets, and endpoint probes for bare metal servers, VMs, and OpenStack clusters — no cloud provider required.
Bare metal certificate management is the operational practice of issuing, renewing, delivering, and monitoring TLS certificates on physical servers and non-cloud infrastructure. Unlike cloud environments where certificate management is integrated with load balancer services, bare metal teams must manage the full certificate lifecycle themselves. CertLocker provides an ACME Gateway that physical servers and load balancers can use to retrieve certificates, continuous endpoint probes that verify what is actually being served, SSH certificate issuance for just-in-time server access, and secrets management with version history — all without requiring a cloud provider.
No native ACME integration
AWS ACM and GCP Certificate Manager provision certificates for their own load balancers. For bare metal HAProxy, Nginx, or IIS, there is no equivalent automated delivery.
No endpoint visibility
Inventory lists do not tell you what a server is actually serving. Chain errors, hostname mismatches, and misconfigured bundles are invisible until a client fails.
SSH access with permanent keys
On bare metal, SSH is the primary access mechanism. Permanent PEM keys accumulate across engineer laptops with no expiry and no audit trail.
Secrets without a home
On bare metal, secrets — API keys, database credentials, PEM files — end up in config files, Ansible vaults, or shared folders without rotation tracking or version history.
ACME Gateway for any ACME-capable client
HAProxy native ACME, Certbot, win-acme, and any RFC 8555-compatible client can retrieve certificates from CertLocker. Inventory, ownership, and expiry tracking are automatic.
Endpoint probes that check what is actually served
CertLocker probes live endpoints to verify certificate validity, chain completeness, hostname match, and expiry. Alerts fire before problems become incidents.
Short-lived SSH certificates with audit trails
CertLocker issues time-limited SSH certificates with identity binding and 2FA enforcement. Every access event is recorded. No permanent keys to track or rotate.
Secrets with version history
All secrets are versioned. Every change is recorded with who made it and when. Compliance questions about past secret values are answerable without log archaeology.
HAProxy 3.1+ includes a native ACME client that can request and renew certificates directly from an ACME-compatible endpoint. CertLocker's ACME Gateway supports this integration, including the private key seeding step that HAProxy requires for initial bootstrap.
The result is zero-sidecar certificate management: HAProxy handles renewal via its built-in ACME client, CertLocker maintains the inventory record, and alerts fire if renewal fails or a certificate approaches expiry. No Certbot agent running alongside HAProxy. No cron job to maintain.
Read: HAProxy 3.3 Native ACME with CertLocker →OpenStack deployments face the same certificate management challenges as bare metal: no cloud-native certificate management service, TLS required across internal APIs (Keystone, Nova, Cinder, Swift), and HAProxy often acting as the public endpoint.
CertLocker can manage certificates for OpenStack infrastructure components as well as the applications running on OpenStack. The importer can be configured to discover existing certificates and register them for monitoring, so the first step is typically gaining visibility before automating renewal.
Import existing certificate inventory
Upload or discover existing certificates to get visibility — what is installed, when it expires, which server, who owns it. This is the baseline before automating anything.
Configure endpoint probes
Point CertLocker at each TLS endpoint. It checks what is actually being served — expiry, chain, hostname match. This surfaces problems that inventory lists hide.
Connect ACME clients for automated renewal
Configure HAProxy native ACME, Certbot, or win-acme to use CertLocker as the ACME endpoint. Renewal becomes automatic; CertLocker tracks the result.
Issue SSH certificates for server access
Replace permanent PEM files with short-lived SSH certificates. Engineers request access through CertLocker, which enforces 2FA and records the event. Sessions expire automatically.
TLS certificate management on bare metal requires an ACME-capable tool or platform that can reach servers without cloud provider APIs. CertLocker provides an ACME Gateway that bare metal servers and load balancers — including HAProxy — can use to retrieve and renew certificates directly. It also runs endpoint probes to verify what is actually being served, and tracks ownership and expiry across the fleet.
Yes. CertLocker is designed for bare metal, VMs, OpenStack, and on-premise environments. It does not require AWS, GCP, or Azure. It works with Let's Encrypt, internal CAs, and private PKI.
AWS ACM provisions certificates for AWS load balancers and CloudFront. It has no reach into bare metal infrastructure. CertLocker is purpose-built for non-cloud infrastructure, providing the certificate delivery, monitoring, SSH access, and secrets management that AWS ACM does not address. See CertLocker vs AWS ACM for a full comparison.
Certificate lifecycle, ACME delivery, SSH access, secrets, and endpoint monitoring — for teams running on bare metal, VMs, and OpenStack.