Cert Warden

Cert Warden is a centralized ACME client that provides a REST API and web UI to create, manage, and automatically renew TLS certificates. It centralizes ACME account handling and exposes a scoped API-keyed GET interface so consumers can fetch individual keys and certificates without implementing ACME themselves.

Key Features

• Centralized ACME orchestration: manage ACME accounts, keys, and certificates from a single service.
• REST API for consumers: authenticated GET endpoint with scoped API keys to retrieve keys/certificates programmatically.
• Automated renewals: background automation for certificate issuance and renewal using RFC 8555-compliant ACME providers.
• Challenge support: built-in HTTP server for http-01 and integrated support for many DNS providers for dns-01 challenges.
• Frontend and backend: React-based web UI with a Go backend providing the API and ACME logic.
• Deployment options: official Docker images and docker-compose examples plus binary releases for multiple platforms.
• Robust logging and debugging options: detailed access and debug logs to track who or what is accessing key material.

Use Cases

• Centralize TLS management across a home lab or small infrastructure to avoid running ACME clients on each endpoint.
• Provide short-lived scoped certificate access to services or devices that cannot run a full ACME client.
• Automate certificate renewals for services that require a simple API to fetch X.509 material.

Limitations and Considerations

• Intended for small/home-lab use; the project is primarily maintained by a single developer and does not include commercial support.
• Stores private key material in a local database file; compromise of that database compromises the entire PKI and requires strong operational safeguards (backups, access controls, encryption at rest as appropriate).
• The project bundles a frontend and backend and the documentation notes there is limited support for running them separately.

Cert Warden is a practical option for users who want a single service to manage ACME interactions and make certificates available via an API. It emphasizes automation and simple client retrieval, but users should evaluate the operational security trade-offs before storing sensitive key material in its database.