VaulTLS

VaulTLS is a self-hosted web application for generating, managing and distributing mutual TLS (mTLS) certificates. It provides a central UI and REST API to create client and server certificates, manage a local Certificate Authority, and monitor certificate expirations.

Key Features

• mTLS client and CA certificate management with UI-driven workflows
• Server certificate support (SANs) and PKCS#12 export options
• OpenID Connect (OIDC) authentication integration for SSO
• Email notifications for upcoming certificate expiration
• RESTful API for automation and integration with tooling
• Container-first distribution (Docker image) and simple reverse-proxy integration
• Optional database encryption via an environment variable to encrypt stored data

Use Cases

• Centralized issuance and distribution of client certificates for a home lab or small infrastructure
• Integrating with a reverse proxy (example Caddy configuration provided) to enforce client certificate authentication
• Automating certificate issuance and expiry notifications via the provided REST API

Limitations and Considerations

• Automatic certificate regeneration/auto-renew is listed on the roadmap and is not guaranteed in older releases
• Targeted primarily at home-lab / small deployments; lacks built-in clustering/HA storage features

VaulTLS is intended as a practical, lightweight tool to simplify mTLS workflows and certificate lifecycle management for self-hosted environments. It focuses on ease of use, container deployment, and integrations for authentication and reverse-proxy setups.