diff --git a/LICENSE b/LICENSE index f4c014f..85abba6 100644 --- a/LICENSE +++ b/LICENSE @@ -6,13 +6,20 @@ Licensor: Shankar Reddy Licensed Work: certctl The Licensed Work is (c) 2026 Shankar Reddy. Additional Use Grant: You may make use of the Licensed Work, provided that - you may not use the Licensed Work for a Certificate - Management Service. A "Certificate Management Service" - is a commercial offering that allows third parties - (other than your employees and contractors acting on - your behalf) to access and/or use the Licensed Work's - certificate lifecycle management functionality as part - of a hosted or managed service. + you may not use the Licensed Work for a Commercial + Certificate Service. A "Commercial Certificate Service" + is any product, service, or offering in which a third + party (other than your employees and contractors + acting on your behalf) accesses, uses, or benefits + from the Licensed Work's certificate management + functionality — including but not limited to lifecycle + management, discovery, monitoring, alerting, renewal + automation, deployment, and revocation — as part of + or in connection with an offering for which + compensation is received. This restriction applies + regardless of whether the Licensed Work is hosted, + managed, embedded, bundled, or integrated with + another product or service. Change Date: March 14, 2033 diff --git a/README.md b/README.md index e6daa70..6d92000 100644 --- a/README.md +++ b/README.md @@ -70,9 +70,11 @@ For a detailed comparison with other competitors and enterprise platforms, see [ - **Everything is auditable.** Immutable append-only audit trail records every lifecycle action, every API call, and every approval decision. Certificate digest emails deliver daily briefings. Prometheus metrics endpoint for Grafana dashboards. -- **Multiple interfaces for different workflows.** REST API for automation, CLI for scripting, MCP server for AI assistants (Claude, Cursor, Windsurf), EST server (RFC 7030) for device enrollment, Helm chart for Kubernetes, and the web dashboard for day-to-day operations. +- **Standards-based protocol support.** EST server (RFC 7030) for device and WiFi certificate enrollment. ACME ARI (RFC 9773) for CA-directed renewal timing. S/MIME certificate issuance with email protection EKU for end-to-end encrypted email. DER-encoded X.509 CRL and embedded OCSP responder for revocation infrastructure. -For the full capability breakdown — revocation infrastructure (CRL + OCSP), policy engine, certificate profiles, S/MIME support, approval workflows, and more — see the [Feature Inventory](docs/features.md). +- **Multiple interfaces for different workflows.** REST API (107 routes) for automation, CLI for scripting, MCP server for AI assistants (Claude, Cursor, Windsurf), Helm chart for Kubernetes, and the web dashboard (24 pages) for day-to-day operations. + +For the full capability breakdown, including the policy engine, certificate profiles, approval workflows, certificate export (PEM/PKCS#12), and more, see the [Feature Inventory](docs/features.md). ## Supported Integrations @@ -84,13 +86,11 @@ For the full capability breakdown — revocation infrastructure (CRL + OCSP), po | ACME EAB (ZeroSSL, Google Trust) | Implemented (auto-fetch EAB from ZeroSSL) | `ACME` | | step-ca | Implemented | `StepCA` | | OpenSSL / Custom CA | Implemented | `OpenSSL` | -| Vault PKI | Beta | `VaultPKI` | -| DigiCert CertCentral | Beta | `DigiCert` | -| Sectigo SCM | Beta | `Sectigo` | -| Google CAS | Beta | `GoogleCAS` | -| AWS ACM Private CA | Beta | `AWSACMPCA` | - -**Vault PKI, DigiCert, Sectigo, Google CAS, and AWS ACM PCA connectors are in beta.** If you hit any bugs or unexpected behavior, please [open a GitHub issue](https://github.com/shankar0123/certctl/issues) -- we're actively testing these and want to hear from real users. +| Vault PKI | Implemented | `VaultPKI` | +| DigiCert CertCentral | Implemented | `DigiCert` | +| Sectigo SCM | Implemented | `Sectigo` | +| Google CAS | Implemented | `GoogleCAS` | +| AWS ACM Private CA | Implemented | `AWSACMPCA` | **Note:** ADCS integration is handled via the Local CA's sub-CA mode — certctl operates as a subordinate CA with its signing certificate issued by ADCS. Any CA with a shell-accessible signing interface can be integrated today via the OpenSSL/Custom CA connector. @@ -106,8 +106,8 @@ For the full capability breakdown — revocation infrastructure (CRL + OCSP), po | Postfix | Implemented | `Postfix` | | Dovecot | Implemented | `Dovecot` | | Microsoft IIS | Implemented (local + WinRM) | `IIS` | -| F5 BIG-IP | Beta | `F5` | -| SSH (Agentless) | Beta | `SSH` | +| F5 BIG-IP | Implemented (proxy agent) | `F5` | +| SSH (Agentless) | Implemented | `SSH` | | Windows Cert Store | Implemented | `WinCertStore` | | Java Keystore | Implemented | `JavaKeystore` | | Kubernetes Secrets | Implemented | `KubernetesSecrets` | @@ -187,6 +187,16 @@ curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-a Detects your OS and architecture, downloads the binary, configures systemd (Linux) or launchd (macOS), and starts the agent. See [install-agent.sh](install-agent.sh) for details. +### Helm Chart (Kubernetes) + +```bash +helm install certctl deploy/helm/certctl/ \ + --set server.apiKey=your-api-key \ + --set postgres.password=your-db-password +``` + +Production-ready chart with Server Deployment, PostgreSQL StatefulSet, Agent DaemonSet, health probes, security contexts (non-root, read-only rootfs), and optional Ingress. See [values.yaml](deploy/helm/certctl/values.yaml) for all configuration options. + ### Docker Pull ```bash @@ -318,12 +328,12 @@ Dynamic issuer and target configuration via GUI (no env var restarts), first-run ### V3: certctl Pro Team access controls and identity provider integration (OIDC/SSO). Role-based access control with profile-gating. Event-driven architecture (NATS) with real-time operational views. Advanced search DSL, compliance and risk scoring, bulk fleet operations. -### V4+: Cloud, Scale & Passive Discovery -Passive network discovery (TLS listener), Kubernetes cert-manager external issuer, cloud infrastructure targets (AWS ALB/CloudFront, Azure Key Vault/App Service), extended CA support (Entrust, GlobalSign, EJBCA), cloud secret manager discovery (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager), and platform-scale features (Terraform provider, multi-tenancy, HSM support). +### V4+: Cloud & Scale +Continuous TLS health monitoring, cloud secret manager discovery, Kubernetes cert-manager external issuer, cloud infrastructure targets, extended CA support (Entrust, GlobalSign, EJBCA), and platform-scale features (Terraform provider, multi-tenancy). ## License -Certctl is licensed under the [Business Source License 1.1](LICENSE). The source code is publicly available and free to use, modify, and self-host. The one restriction: you may not offer certctl as a managed/hosted certificate management service to third parties. The BSL 1.1 license converts automatically to Apache 2.0 on March 1, 2033, providing perpetual freedom. +Certctl is licensed under the [Business Source License 1.1](LICENSE). The source code is publicly available and free to use, modify, and self-host. The one restriction: you may not use certctl's certificate management functionality as part of a commercial offering to third parties, whether hosted, managed, embedded, bundled, or integrated. The BSL 1.1 license converts automatically to Apache 2.0 on March 14, 2033. For licensing inquiries: certctl@proton.me diff --git a/docs/connectors.md b/docs/connectors.md index 9670067..a12dd73 100644 --- a/docs/connectors.md +++ b/docs/connectors.md @@ -61,8 +61,8 @@ Connectors extend certctl to integrate with external systems for certificate iss Three types of connectors: -1. **Issuer Connector** — Obtains certificates from CAs (Local CA with sub-CA support, ACME with HTTP-01 + DNS-01 + DNS-PERSIST-01, step-ca, OpenSSL/Custom CA, Vault PKI, DigiCert implemented; additional CA integrations planned) -2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS, F5, SSH implemented; additional cloud and network targets planned) +1. **Issuer Connector** — Obtains certificates from CAs. 9 built-in: Local CA (self-signed + sub-CA), ACME v2 (HTTP-01, DNS-01, DNS-PERSIST-01, ARI, EAB, profile selection), step-ca, OpenSSL/Custom CA, Vault PKI, DigiCert CertCentral, Sectigo SCM, Google CAS, AWS ACM Private CA +2. **Target Connector** — Deploys certificates to infrastructure. 14 built-in: NGINX, Apache httpd, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS (local + WinRM), F5 BIG-IP (proxy agent), SSH (agentless), Windows Certificate Store, Java Keystore, Kubernetes Secrets 3. **Notifier Connector** — Sends alerts about certificate events (Email, Webhooks, Slack, Microsoft Teams, PagerDuty, OpsGenie implemented) All connectors accept JSON configuration at initialization, support config validation, and are registered in the service layer. Issuer connectors run on the control plane; target connectors run on agents. For network appliances where agents can't be installed, a **proxy agent** in the same network zone handles deployment — the server never initiates outbound connections. @@ -428,18 +428,19 @@ AWS Certificate Manager Private Certificate Authority — managed private CA on Location: `internal/connector/issuer/awsacmpca/awsacmpca.go` -### Coming in V2.2+ +### Planned Issuers The following issuer connectors are planned for future releases: -- **Entrust** — Enterprise CA via Entrust API -- **AWS ACM Private CA** — AWS-managed private CA +- **Entrust** — Enterprise CA via Entrust Certificate Services mTLS API +- **GlobalSign** — GlobalSign Atlas HVCA REST API with mTLS + API key auth +- **EJBCA** — Keyfactor EJBCA REST API with mTLS or OAuth2 auth Note: ADCS (Active Directory Certificate Services) integration is handled via the **sub-CA mode** of the Local CA issuer, not as a separate connector. certctl operates as a subordinate CA with its signing certificate issued by ADCS, so all certctl-issued certs chain to the enterprise ADCS root. See the Local CA section above. ### Building a Custom Issuer -Here's the structure for a HashiCorp Vault PKI issuer: +Here's a simplified example showing the connector pattern (using a hypothetical Vault-like CA): ```go package vault @@ -962,9 +963,7 @@ The Java Keystore connector deploys certificates to JKS or PKCS#12 keystores via Location: `internal/connector/target/javakeystore/javakeystore.go` -### Kubernetes Secrets (Coming in 2.1) - -> **Status:** Config validation, tests, UI, and Helm RBAC are implemented. The Kubernetes API client (`k8s.io/client-go`) integration is not yet wired — runtime deployment will be available in v2.1.0. +### Kubernetes Secrets The Kubernetes Secrets connector deploys certificates as `kubernetes.io/tls` Secrets, compatible with Ingress controllers (nginx-ingress, Traefik, HAProxy), service meshes (Istio, Linkerd), and any Kubernetes workload that reads TLS Secrets.