GlobalSign

Best Self Hosted Alternatives to GlobalSign

A curated collection of the 4 best self hosted alternatives to GlobalSign.

Cloud-based certificate authority and PKI provider offering TLS/SSL certificates, managed PKI, code and document signing, and device identity solutions to secure websites, applications, IoT devices, and enterprise identities.

Alternatives List

#1
Infisical

Infisical

Infisical is an open-source platform to manage and deliver app secrets, certificates (PKI), SSH credentials, and encryption keys across teams and infrastructure.

Infisical screenshot

Infisical is an open-source security platform for centrally managing application secrets and configuration, internal and external PKI certificates, and privileged access workflows. It helps teams reduce credential sprawl by securely delivering, rotating, and auditing sensitive values across environments and infrastructure.

Key Features

  • Secrets management across projects and environments with web UI, CLI, SDKs, and API
  • Dynamic secrets and scheduled secret rotation for supported backends
  • Secret syncs and delivery options for CI/CD, cloud platforms, and Kubernetes workloads
  • Secret scanning and leak prevention tooling to catch exposed credentials
  • Built-in PKI with private CA hierarchy, certificate issuance, renewal, and revocation
  • ACME-based certificate enrollment and certificate lifecycle governance policies
  • SSH certificate issuance for short-lived, centralized infrastructure access
  • Key Management System (KMS) for encrypt/decrypt workflows and key governance
  • Role-based access controls, approvals, temporary access, and audit logs

Use Cases

  • Centralize and distribute application secrets to developers, CI pipelines, and runtime environments
  • Run an internal CA and manage X.509 certificates for services, devices, and apps
  • Replace long-lived infrastructure credentials with short-lived SSH certificates and dynamic secrets

Limitations and Considerations

  • Some premium/enterprise functionality is separated into an enterprise directory and may require a commercial license

Infisical is well-suited for organizations that need a modern developer experience for secrets and PKI while maintaining strong governance through access controls and auditing. It can serve as a unified layer for managing credentials and certificates across diverse stacks and deployment environments.

24.5kstars
1.7kforks
View Details
#2
step-ca

step-ca

step-ca is a private CA and ACME server for issuing and automating X.509 TLS and SSH certificates, enabling short-lived credentials and secure enrollment for teams.

step-ca screenshot

step-ca is an online private certificate authority for issuing and managing X.509 (TLS) and SSH certificates. It is designed for automated certificate lifecycle management in DevOps environments, including short-lived certificates and multiple enrollment options.

Key Features

  • Private ACMEv2 server for automated TLS certificate issuance and renewal
  • Issues X.509 server and client certificates (configurable key types and lifetimes)
  • SSH certificate authority for user and host certificates
  • Multiple provisioning methods, including ACME challenges, OIDC/OAuth tokens, cloud instance identity documents, and JWK-based bootstrapping
  • Supports operating as an intermediate CA under an existing root CA
  • Pluggable database backends for CA state (including embedded and SQL options)

Use Cases

  • Automate internal TLS for services, APIs, containers, and Kubernetes workloads
  • Replace static SSH keys with short-lived SSH certificates tied to SSO
  • Run a private ACME service for development, staging, and internal production environments

Limitations and Considerations

  • Some enterprise PKI features (for example full HA at very high volume, advanced revocation services, or a web admin UI) may require additional tooling or a commercial offering

step-ca is a strong choice for teams that need a flexible private CA with ACME automation and SSH certificate support. It helps standardize identity and trust across infrastructure while reducing manual certificate handling.

8kstars
520forks
View Details
#3
VaulTLS

VaulTLS

Self-hosted web app to generate, manage and distribute mTLS client and server certificates with OIDC auth, email alerts and a REST API.

VaulTLS is a self-hosted web application for generating, managing and distributing mutual TLS (mTLS) certificates. It provides a central UI and REST API to create client and server certificates, manage a local Certificate Authority, and monitor certificate expirations.

Key Features

  • mTLS client and CA certificate management with UI-driven workflows
  • Server certificate support (SANs) and PKCS#12 export options
  • OpenID Connect (OIDC) authentication integration for SSO
  • Email notifications for upcoming certificate expiration
  • RESTful API for automation and integration with tooling
  • Container-first distribution (Docker image) and simple reverse-proxy integration
  • Optional database encryption via an environment variable to encrypt stored data

Use Cases

  • Centralized issuance and distribution of client certificates for a home lab or small infrastructure
  • Integrating with a reverse proxy (example Caddy configuration provided) to enforce client certificate authentication
  • Automating certificate issuance and expiry notifications via the provided REST API

Limitations and Considerations

  • Automatic certificate regeneration/auto-renew is listed on the roadmap and is not guaranteed in older releases
  • Targeted primarily at home-lab / small deployments; lacks built-in clustering/HA storage features

VaulTLS is intended as a practical, lightweight tool to simplify mTLS workflows and certificate lifecycle management for self-hosted environments. It focuses on ease of use, container deployment, and integrations for authentication and reverse-proxy setups.

311stars
6forks
View Details
#4
mkcert Web UI

mkcert Web UI

Web-based UI for mkcert to generate, download, and monitor locally-trusted development TLS/SSL certificates with SCEP, authentication, Docker deployment, and email alerts.

mkcert Web UI provides a browser-based interface for the mkcert CLI to create and manage locally-trusted development TLS/SSL certificates. It exposes certificate generation, downloads, monitoring, and a built-in SCEP enrollment service while enforcing input validation and rate limits for security.

Key Features

  • Certificate generation for multiple domains and IPs with PEM, CRT and password-protected PFX (PKCS#12) output
  • Built-in SCEP server supporting GetCACert and GetCACaps for automated device enrollment and challenge-based authentication
  • Enterprise-grade protections: allowlist command validation, path traversal prevention, filename validation, input sanitization, and multi-tier rate limiting
  • Flexible authentication: basic auth and OpenID Connect SSO support; session secret configuration
  • Certificate monitoring with configurable warning/critical thresholds and automated email notifications for expiring certificates
  • Docker and docker-compose deployment support and a simple HTTP API for generate, list, download, and monitoring endpoints

Use Cases

  • Centralize generation and distribution of development TLS certificates for local networks and developer teams
  • Automate certificate provisioning on devices using the SCEP service for managed device enrollment
  • Monitor certificate expiry across development assets and send email alerts to administrators

Limitations and Considerations

  • Requires the mkcert CLI and local trust of the mkcert root CA; initial root CA installation is a prerequisite
  • No built-in hardware security module (HSM) or remote CA integration; keys and certificates are stored on local filesystem by default
  • Exposing SCEP or the management UI publicly requires careful network and authentication configuration to avoid security risks

mkcert Web UI is suited for teams and developers who need an accessible UI to run mkcert at scale in development environments. It simplifies certificate workflows while retaining the underlying mkcert trust model and operational constraints.

195stars
7forks
View Details

Why choose an open source alternative?

  • Data ownership: Keep your data on your own servers
  • No vendor lock-in: Freedom to switch or modify at any time
  • Cost savings: Reduce or eliminate subscription fees
  • Transparency: Audit the code and know exactly what's running