Tooling

PKI & Certificate Management

Let's Encrypt, cert-manager, smallstep, Vault PKI — TLS at every layer.

Public certificates (Let's Encrypt et al.)

  • Let's Encrypt — free, automated, ACME-based; the default for public TLS.
  • ZeroSSL — alternative ACME CA; longer cert lifetimes on free tier.
  • Buypass Go SSL — alternative ACME CA.
  • Google Trust Services — free ACME from Google.

ACME clients (issuing / renewing certs)

  • Caddy — bundles ACME; literally zero config beyond a domain.
  • certbot — Let's Encrypt's reference client; everywhere.
  • acme.sh — POSIX shell; tiny, very flexible.
  • lego — Go-based ACME client; library + CLI.
  • Traefik — bundles ACME for Docker / k8s.
  • Step CA (smallstep) — for private + ACME issuance.

Kubernetes

  • cert-manager — k8s operator for issuing / renewing certs from Let's Encrypt / Vault / ACME / private CAs. Universal default.
  • Reflector — copy secrets across namespaces.
  • trust-manager — distribute CA bundles.

Private PKI / internal CA

  • smallstep CA (step-ca) — modern internal CA; ACME-compatible; OIDC-based provisioners; SSH cert support. The default for internal PKI.
  • HashiCorp Vault PKI — Vault as a CA; powerful; pairs with the rest of Vault.
  • Boundary (HashiCorp) — workload-PKI flavor.
  • OpenBao PKI — Vault fork; same shape.
  • Sectigo / DigiCert / Entrust private — commercial.
  • easy-rsa / OpenSSL — DIY scripts; works but tedious.

Workload identity (cert-less)

  • SPIFFE / SPIRE — workload identity via short-lived X.509 / JWT certs; the modern alternative to "share an API key."
  • mTLS via service mesh — Istio / Linkerd / Cilium issue per-service certs automatically.
  • AWS IAM Roles for Service Accounts (IRSA) / GCP / Azure Workload Identity — for cloud APIs.

Cert lifecycle

  • Renew automatically. Cert renewal failure is a top cause of outages. Don't put it on a calendar.
  • Monitor expiry with cert-manager-csi-driver + Prometheus, or blackbox_exporter's tls_probe.
  • Pin Subject Alternative Names carefully; multi-SAN certs are common but watch the list.
  • OCSP stapling for big-traffic sites.

Where TLS lives

  • At the load balancer / reverse proxy (Caddy, Nginx, HAProxy, Traefik).
  • In-cluster between services — service mesh + per-service identities.
  • End-to-end to the app for compliance shops; encrypted-by-default.
  • Cloudflare / Vercel edge — they handle TLS for you.

Patterns to adopt

  • Caddy for new self-host. Zero TLS config; it just works.
  • cert-manager + Let's Encrypt + ExternalDNS for k8s.
  • Internal CA (smallstep / Vault) for service-to-service mTLS.
  • Short-lived certs (hours / days) + automation. Don't hand out year-long certs to humans.
  • Public root trust only at the edge. Internal traffic uses your own CA.
  • Don't disable cert validation. "It works in dev" usually means "we'll figure out prod later" — figure it out now.

Pick this if…

  • Default public TLS, self-host: Caddy.
  • Default k8s TLS: cert-manager + Let's Encrypt.
  • Internal CA: smallstep CA.
  • You're already on Vault: Vault PKI engine.
  • Workload identity: SPIFFE / SPIRE or service mesh.
  • Cloudflare / Vercel front: let them handle TLS.

On this page