Certificate governance, end to end

Watch every certificate. Govern every request.

One ACME gateway, one CT watcher. Issue certificates for internal services without exposing them. Find the ones you didn't know about. Skip the next renewal-day outage.

Book a demo Take the readiness quiz
79%1
of the top 1,000 companies can't control who issues certificates for their domains
40%2
of enterprise certificates bypass standard processes
81%3
of companies had a certificate outage in the last two years
47 days4
maximum certificate lifetime by 2029, down from 200 days in 2026, 100 in 2027

The problem

Three ways certificates get out of hand

Self-signed internals, surprise certificates from teams you've never met, and a renewal cadence about to be measured in weeks.

Ungoverned ACME requests

Anyone with domain access can pull a certificate. You have no idea who, when, or why.

Self-signed internals

Internal APIs, admin panels, and microservices run with self-signed certs because "it's just internal." Your engineers learn to click through warnings.

Renewal-day outages

Services go down because someone forgot to renew. At 47-day lifetimes, manual tracking is over.

The approach

Watch + enforce

One control point for every ACME request. Visibility across every CA, every team.

Watch

Certificate discovery engine

  • Stream every certificate from CT logs
  • Cover Let's Encrypt, DigiCert, Sectigo, ZeroSSL, every public CA
  • Surface unauthorised certificates the moment they're issued
  • Track lifecycle and expiry across the whole estate

Enforce

Central ACME gateway

  • Every request flows through one approval-aware control point
  • Certificates for private networks without internet exposure
  • Unmodified ACME clients (certbot, acme.sh, cert-manager) keep working
  • RBAC, dedicated credentials per certificate, full audit trail

Capabilities

What you get

Everything end-to-end certificate governance needs.

Cross-CA visibility

One pane for certificates from Let's Encrypt, DigiCert, Sectigo, ZeroSSL, and anything else that publishes to CT.

SSO & teams

OIDC sign-in, team-scoped permissions, delegated domain ownership. Out of the box.

Approval workflows

Configurable approvals for certificate requests. RBAC where you need it, none where you don't.

ACME gateway

One control point for every ACME request. certbot, acme.sh, cert-manager. Unchanged.

Proactive alerts

Upcoming expiry, unauthorised issuances, policy drift. You hear about it before someone else does.

Private-network SSL

Real certificates for internal services without exposing them. api.company.com, admin.company.com, anything else behind your perimeter.

Audit trails

Trace any certificate to the request, the requester, and the policy that signed it off.

Wildcard support

Single-domain, multi-domain, and wildcard certificates. Subdomain-aware policy throughout.

DNS provider plug-ins

Cloudflare, Route 53, Google Cloud DNS, PowerDNS, RFC 2136. Bring your DNS, keep your provider.

Use cases

Where teams adopt it first

The three problems that get AcmeGuard purchased.

Stop paying per certificate

Free ACME services do the job. AcmeGuard adds the governance you'd otherwise buy from a CA, without the invoice.

Fix the self-signed problem

Real SSL for api.company.com and admin.company.com without exposing them. No browser warnings. No more "trust me" prompts.

Shut down unauthorised requests

Discover the certificates you didn't know existed. Gate every new one through the same approval flow.

How it works

Three components, one control point

Drops into your existing infrastructure. No client migration.

01

Certificate discovery

AcmeGuard streams Certificate Transparency logs and surfaces every certificate issued for your domains, from any CA, within minutes.

  • Let's Encrypt, DigiCert, Sectigo, ZeroSSL, and 100+ others
  • Unknown issuances appear as they happen
  • Lifecycle and expiry tracked across the whole estate
02

ACME gateway

One control point for every ACME request. certbot, acme.sh, cert-manager keep working. You get the governance.

  • Unmodified ACME clients, existing DNS plug-ins
  • DNS-01 for private networks, no internet exposure
  • Cloudflare, Route 53, Google Cloud DNS, PowerDNS, RFC 2136
  • Per-certificate credential isolation, strict
  • Every request traces back to a requester and a policy
03

Unified governance

One portal, every certificate. Approval workflows, RBAC, audit-ready reports. The chaos becomes a process you can hand to compliance.

  • RBAC and approval workflows, configurable
  • End-to-end audit trails
  • Automated renewals, automated expiry alerts

Architecture

Where AcmeGuard sits

One credential-scoped DNS-01 proxy. One CT watcher. Your ACME clients don't notice the difference.

AcmeGuard architecture ACME clients on the left talk to AcmeGuard in the middle, which proxies DNS-01 challenges to your real DNS and forwards challenge responses to public CAs. Independently, AcmeGuard watches Certificate Transparency logs to detect any certificate issued for your domains that did not flow through the gateway. Your stack AcmeGuard External cert-manager Kubernetes certbot Linux hosts acme.sh Anything else ACME gateway Credential-scoped DNS-01 proxy RFC 2136 · PowerDNS · ACME-DNS Policy & audit log Per-credential scope, full trail Discovery watcher CT-log stream, every public CA Flags certs that bypass the gate Real DNS Cloudflare · Route 53 · … Public CAs Let's Encrypt · ZeroSSL · … CT logs Public transparency stream 01 · ACME challenge 02 · DNS-01 update 03 · Certificate issued 04 · CT watch
  1. 01
    ACME challenge. Your client speaks ACME to AcmeGuard's nameserver instead of your real DNS. That's the only change.
  2. 02
    DNS-01 update. AcmeGuard checks the credential against the requested name, then updates your real DNS provider. Cloudflare, Route 53, Google Cloud DNS, PowerDNS, RFC 2136. One credential per delegated domain.
  3. 03
    Certificate issued. The public CA validates and returns the certificate as usual. Every request lands in the audit log: who, when, which credential, which CA, which policy.
  4. 04
    CT watch. Discovery streams Certificate Transparency logs in parallel. Anything issued for your domains that bypassed the gate becomes a case for an admin.

Ready to govern every certificate?

Twenty minutes, your domains, no slide deck.

Book a demo