PKI & Certificate Management
Let's Encrypt, cert-manager, smallstep, Vault PKI — TLS at every layer.
Public certificates (Let's Encrypt et al.)
- ★ Let's Encrypt — free, automated, ACME-based; the default for public TLS.
- ZeroSSL — alternative ACME CA; longer cert lifetimes on free tier.
- Buypass Go SSL — alternative ACME CA.
- Google Trust Services — free ACME from Google.
ACME clients (issuing / renewing certs)
- ★ Caddy — bundles ACME; literally zero config beyond a domain.
- ★ certbot — Let's Encrypt's reference client; everywhere.
- acme.sh — POSIX shell; tiny, very flexible.
- lego — Go-based ACME client; library + CLI.
- Traefik — bundles ACME for Docker / k8s.
- Step CA (smallstep) — for private + ACME issuance.
Kubernetes
- ★ cert-manager — k8s operator for issuing / renewing certs from Let's Encrypt / Vault / ACME / private CAs. Universal default.
- Reflector — copy secrets across namespaces.
- trust-manager — distribute CA bundles.
Private PKI / internal CA
- ★ smallstep CA (
step-ca) — modern internal CA; ACME-compatible; OIDC-based provisioners; SSH cert support. The default for internal PKI. - ★ HashiCorp Vault PKI — Vault as a CA; powerful; pairs with the rest of Vault.
- Boundary (HashiCorp) — workload-PKI flavor.
- OpenBao PKI — Vault fork; same shape.
- Sectigo / DigiCert / Entrust private — commercial.
- easy-rsa / OpenSSL — DIY scripts; works but tedious.
Workload identity (cert-less)
- ★ SPIFFE / SPIRE — workload identity via short-lived X.509 / JWT certs; the modern alternative to "share an API key."
- mTLS via service mesh — Istio / Linkerd / Cilium issue per-service certs automatically.
- AWS IAM Roles for Service Accounts (IRSA) / GCP / Azure Workload Identity — for cloud APIs.
Cert lifecycle
- ★ Renew automatically. Cert renewal failure is a top cause of outages. Don't put it on a calendar.
- Monitor expiry with
cert-manager-csi-driver+ Prometheus, orblackbox_exporter'stls_probe. - Pin Subject Alternative Names carefully; multi-SAN certs are common but watch the list.
- OCSP stapling for big-traffic sites.
Where TLS lives
- At the load balancer / reverse proxy (Caddy, Nginx, HAProxy, Traefik).
- In-cluster between services — service mesh + per-service identities.
- End-to-end to the app for compliance shops; encrypted-by-default.
- Cloudflare / Vercel edge — they handle TLS for you.
Patterns to adopt
- ★ Caddy for new self-host. Zero TLS config; it just works.
- cert-manager + Let's Encrypt + ExternalDNS for k8s.
- Internal CA (smallstep / Vault) for service-to-service mTLS.
- Short-lived certs (hours / days) + automation. Don't hand out year-long certs to humans.
- Public root trust only at the edge. Internal traffic uses your own CA.
- Don't disable cert validation. "It works in dev" usually means "we'll figure out prod later" — figure it out now.
Pick this if…
- Default public TLS, self-host: Caddy.
- Default k8s TLS: cert-manager + Let's Encrypt.
- Internal CA: smallstep CA.
- You're already on Vault: Vault PKI engine.
- Workload identity: SPIFFE / SPIRE or service mesh.
- Cloudflare / Vercel front: let them handle TLS.