How do you guys deal with SSLs?

[-]

bunnythistle@reddit

I automate wherever possible, often using LetsEncrypt. For services that can't easily be automated, I just set a calendar reminder and grumble to myself about why the vendor can't make automation possible.

Reply

[-]

tankerkiller125real@reddit

We started dropping vendors that didn't at least have an API to update SSL certs with. And we made sure we told them that it was the reason we were switching to a competitor/new solution.

Reply

[-]

CubesTheGamer@reddit

What? But what about the poor vendors whose application requires unencrypted PEM files? And they have to be separate files for root, issuing, and server, and private key?

Reply

[-]

Lukage@reddit

But what about the vendors who, in the same software suite, require BOTH? A single chain and then separately each cert? Source: We have two of these.

Reply

[-]

CubesTheGamer@reddit

Cringe….as a fun aside for you, just had a software that required I provide the cert in pkcs8 format compared to the standard pkcs12. I about blew a head gasket.

Reply

[-]

theedan-clean@reddit

I wish I could drop vendors who still do this shit. Just today I had to replace an Artifactory cloud cert by hand, including the full chain, in reverse, and the key in RSA. WTELF JFrog? When I saw the request I thought to myself "Surely this is just someone fucking up the Let's Encrypt auto-renew." Nope. That's how JFrog rolls.

Reply

[-]

mriswithe@reddit

Building chain certs by hand, what a pain in the ass.

Reply

[-]

jpmoney@reddit

A pain and error prone. Oh, your chain is in the wrong order? Here is an unrelated error message.

Reply

[-]

mriswithe@reddit

Meanwhile getting to the actual interface that shows the real nerd strength error message gets more complicated every year.

Reply

[-]

theedan-clean@reddit

AAA UserTrust Comodo little ole me Done that shit too many times to forget. Until AAA finally expires in 2028. Thank fuck for Let's Encrypt. I'd never say this, but thank fuck for AWS undercutting the CAs with ACM.

Reply

[-]

Firestorm1820@reddit

Also just did this recently. Nightmare nightmare nightmare!

Reply

[-]

Ssakaa@reddit

There's something absolutely hilarious about a CICD centric tool lacking a critical automation feature for its *own* management...

Reply

[-]

ShelterMan21@reddit

What the fuck is a JFrog. ![gif](giphy|SMyywWhm3Ahlm)

Reply

[-]

PainedEngineer24-2@reddit

We're a big Windows shop, and IIS, so we use GPO and automatic enroll and renewal of SSL certs. [Configure server certificate auto-enrollment | Microsoft Learn](https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment)

Reply

[-]

ZealousidealTurn2211@reddit

If that external stuff is IIS based too, ACMEing it is extremely easy jsyk. Like maybe thirty seconds to go through the setup.

Reply

[-]

2bizy4this@reddit

This is OK until they bind the auto enrolled certificate to a service. When the cert renews, the service breaks.

Reply

[-]

Justify_87@reddit

Restart the service???

Reply

[-]

CapTraditional1264@reddit

Hm? I think this type of thing should work [https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85](https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85)

Reply

[-]

throw0101a@reddit

> We're a big Windows shop, and IIS, so we use GPO and automatic enroll and renewal of SSL certs. There are 'proxies' that allow ACME client to get certificates issues from Windows CAs: * https://github.com/glatzert/ACME-Server-ADCS * https://github.com/grindsa/acme2certifier Clients: * https://letsencrypt.org/docs/client-options/#clients-windows-/-iis

Reply

[-]

MReprogle@reddit

By chance, do you do anything for non-Windows servers? I have been manually creating private keys, bringing them over to the CA to sign, then bringing back all manually. I looked at cert it and other tools, but with a Windows CA, it makes it a bit of a pain for non-Windows devices. But it could all just be due to my lack of having to deal with it, since we only have a handful of Linux servers.

Reply

[-]

PainedEngineer24-2@reddit

Good question. For Linux certs I've used Ansible and a bit of crass bash scripts to do 99% of the leg work for Linux Certs with Linux CAs. You're right though, signing linux system certs with windows is a PIA. There might be more you can do with Ansible to fully automate it. I just haven't had that specific problem for more than one or two systems, so it was never a priority to automate.

Reply

[-]

DontTakePeopleSrsly@reddit

Not really. Just create a script to generate the request with OpenSSL and submit the request to the windows CA with certutil.

Reply

[-]

MReprogle@reddit

I think my monkey brain needs some kind of tutorial for this setup and script to go through it. I tried looking around in the past, since doing it manually seemed like such a pain. It still wouldn’t be a bad idea to get it into Ansible, just to have one spot to send the script out whenever a new Linux host is found on domain.

Reply

[-]

Certain-Community438@reddit

All of which could be automated: write the CSRs to a shared location, and schedule a script to poll that location for new CSRs, submitting any it finds. Much better to use the ACME protocol though. If necessary I'd create a compatible CA server as a "child" of the AD PKI.

Reply

[-]

MReprogle@reddit

I’m definitely not very inclined, but based on what I’ve looked into, setting up automated cert renewal with various tools looks to be simple as hell when you are doing Linux -> Linux, so this might be great for some. In my environment, I doubt I could get a secondary server approved for this, but it would certainly be worth a try.

Reply

[-]

CapTraditional1264@reddit

I've given this some thought as well. It would be possible to automate the transfer of CSRs / certificates through SCP/SSH as an intermediary between the servers and the CA. Then just get a notification when certs need to be signed. Not perfect but would seem to be according to good key management pracatices and probably would be a manageable workload even for a larger fleet of servers. One could adjust timings etc according to own needs and automate the parts one considers important / acceptable from a security POV. I tried looking into SCEP/EST and whatever but I'm not really sold on the value-add of having additional infrastructure if you're already running ADCS.

Reply

[-]

woodsbw@reddit

Windows CA supports SCEP, and there are SCEP clients for everything.

Reply

[-]

thomasbbbb@reddit

Manually as well... An alert pops to remind is to renew some certificate somewhere, but everything is done manually

Reply

[-]

RandomSkratch@reddit

I forget about them for 364 days of the year.

Reply

[-]

Papashvilli@reddit

You bring in someone, like me, and pay me less than what you guys are making to maintain them. Not a joke.

Reply

[-]

Ssakaa@reddit

.. there's something about a sales pitch that leans on "cheap" when it comes to SSL Certs... and it's not a good something.

Reply

[-]

Papashvilli@reddit

Hah, you’re right.

Reply

[-]

Ssakaa@reddit

It's that whole "this tiny file defines the whole tree of trust for all communications under the organization's name" thing, I think.

Reply

[-]

Papashvilli@reddit

Totally understand.

Reply

[-]

Baselet@reddit

I'd hit that in an instant. Not tvat you'd even fart at my paygrade.

Reply

[-]

zer04ll@reddit

CA servers, man it’s like people have no clue that enterprise environments can have thousands of certs

Reply

[-]

Lancaster1983@reddit

LetsEncrypt. I use NGINX Proxy Manager, with certbot to provision a wildcard cert on a cron schedule for most apps. Others I use SWAG to do the LetsEncrypt certs piecemeal.

Reply

[-]

ExcellentQuestion@reddit

Can you give me a sense of your environment? What webserver types are you putting behind NGINX? Were there any difficult ones to deal with? We're working on this for IIS, iDRAC, SSRS, etc and I'd love to know more. Do you keep your firewall rules simplified behind NGINX so you're not opening 443 to each and every endpoint?

Reply

[-]

Lancaster1983@reddit

[NGINX Proxy Manager](https://github.com/NginxProxyManager/nginx-proxy-manager) (NPM) is a tool that I use as a reverse proxy. I don't have any firewall rules opening any ports as I use a Cloudflare tunnel for external access. The NPM set up is really for internal use and management of my wildcard cert.

Reply

[-]

sir_mrej@reddit

How do we deal with Secure Sockets Layers? Or how do we deal with certificates?

Reply

[-]

ExcellentQuestion@reddit

You know the answer to this. Stop being difficult.

Reply

[-]

unethicalposter@reddit

We try and do wild card certs for everything, and use puppet to rotate them. The services we manage are highly available and scalable so the acme/certbot stuff does not work for that type of service.

Reply

[-]

bendem@reddit

Confused why acme would be incompatible with HA. Most HA software can reload certificates without interruptions.

Reply

[-]

unethicalposter@reddit

Getting the certificate as new nodes come up is the problem. You can't pull a new copy of the already issued cert. Plus none of our services are available publicly and DNS authentication changes every time the cert rotates.

Reply

[-]

bendem@reddit

We have an internal ca for internal services, node pulls certificate from hashicorp vault on boot. DNS would work fine, if your DNS provider doesn't have an API, you can use acme-dns so you only need to add a cname once per domain.

Reply

[-]

unethicalposter@reddit

I'll look at vault we use that for other things, I didn't see an easy way to get the certs distributed from the DNS method. Last I looked i didn't have api based DNS but I do now.

Reply

[-]

bendem@reddit

No it doesn't, but since you can authenticate to the vault API using a token, there is no need to validate that you control the domain. So there is no challenge required.

Reply

[-]

grawity@reddit

You don't strictly need the already-issued cert - a fresh cert won't invalidate the already-issued ones. But IMO don't run ACME directly on the nodes; run it on a central system (using e.g. DNS challenge) and deploy the resulting certificate via puppet as usual. Still has the advantage of automating the "ordering" step which is IMO the main point.

Reply

[-]

unethicalposter@reddit

That makes sense, I'm sure I can push it out with bolt or even ansible. I'll look into this thank you for the suggestion.

Reply

[-]

techierealtor@reddit

For managing carts, there’s probably something better, but IT glue (yes, I hate it too but it does well here) has a cert tracker. We have a workflow for 30 days and 5 days prior to expiration. Includes the domain and you can configure it with more. Works very well. Manage serval dozen carts for internal apps we cannot automate due to bullshit. Ignoring the Datto / Kaseya / IT Glue hate, it’s pretty great. Easy to update them too as I can just drop in the public key and call it a day.

Reply

[-]

LPso_B@reddit

Yes, despite this, Datto/Kaseya/IT Glue are great tools.

Reply

[-]

Ironfox2151@reddit (OP)

Holy moly. So yeah, like I am fully aware of LetsEncrypt. I would my much rather utilize that - but of course we have a mix of internal tools, service, and others that don't support ACME. We are a mixed shop with linux and windows and internal and external services - so we have windows applications that don't support anything but actually opening stupid applications. We have plenty of homebuilt linux applications. We also utilize KEMPs, which from what i have seen is a bit hard to script or automate. So yeah, right now it's just monitoring and then we spend x amount of time on what ever service ssl. So like enterprise level - seems like a total pain in the ass unless you got wildcards.

Reply

[-]

woodsbw@reddit

Work at a large enterprise. Less than 5% of our certs require manual intervention. Are your internal tools unmaintained and can’t be updated? With both windows and Linux, are they not front-ended by a web server? Are you not using load balancers for external facing SSL termination? No offense, but I don’t think your problem is “enterprise” here.

Reply

[-]

Ironfox2151@reddit (OP)

Most internal tools we have do not utilize web servers. I wish they did otherwise I wouldn't have this question. You know how easy my life would be if they would use IIS and ngnix or something? For external facing we do utilitize Kemps.

Reply

[-]

grawity@reddit

They don't have to utilize web servers. For validation, implement DNS-01 challenge for LetsEncrypt or use a commercial CA which supports pre-validated domains – e.g. I know for sure that Sectigo does, and I _think_ DigiCert does as well. We used to use Sectigo via ACME with certbot, getting certificates for internal subdomains and having a collection of deploy hooks to put the certs where they need to go; the only thing that couldn't be automated was "having to email a sysadmin guy in another org that the cert on their crappy SAAS webapp is about to expire and could they please send a new CSR".

Reply

[-]

bendem@reddit

There is absolutely no need for your internal tools to implement acme. Just use something like lego or acme posh to get the certificate, copy it to the right place, restart your application.

Reply

[-]

420GB@reddit

Please, please don't call certificates "SSLs"

Reply

[-]

grawity@reddit

<Zoidberg meme> One SSL please! </meme>

Reply

[-]

tankerkiller125real@reddit

ACME protocol, both external via Google Trust Services/Lets Encrypt and Internally via Step CA (which is a Sub CA of our Windows AD CS Root CA server)

Reply

[-]

libertyprivate@reddit

This is the way

Reply

[-]

mats_o42@reddit

I prefer EST over ACME or scep when possible. Can be implemented client side with openssl + curl

Reply

[-]

youcanreachardy@reddit

+1 for Step CA. Setting up renewal of 7 day certs in a cron job or systemd service is where it’s at.

Reply

[-]

JewishTomCruise@reddit

Oh man, thank you for this. I didn't know it was actually an open protocol, and it seems that DigiCert supports ACME. About to get this setup for my services.

Reply

[-]

mriswithe@reddit

Oh damn I never considered using ACME that way. I haven't needed to either thankfully, but now I have something in my back brain pocket thanks to you. Thanks

Reply

[-]

i-took-my-meds@reddit

If you need to implement it yourself, e.g. via cronjob, check out acme.sh on github

Reply

[-]

woodsbw@reddit

This, or SCEP. Lots of platforms support both.

Reply

[-]

Stewge@reddit

Good news is Step CA supports both ACME and SCEP internally :)

Reply

[-]

sparrowhawk360@reddit

I just built my own (SSL Monitoring tool). 😌 SSL renewals and monitoring are my major PITA and I've had a few silent fails. No one noticed for a few days and client was not happy (understandably) . The final straw was the Let's Encrypt email re. stopping automated renewal reminders. Took a few days to build but I finally have all my Certs in a single GUI.

Reply

[-]

bfodder@reddit

First you stop calling certs "SSLs".

Reply

[-]

UdderlyCow@reddit

Another vote for certify the Web for Windows boxes using DNS challenge for non-public facing servers. Started using Acmebot in Azure for any of you azure users which is much much safer than putting certbot on every server.

Reply

[-]

redditduhlikeyeah@reddit

Are these people referring folks to Let's Encrypt real enterprises? Surprising! Whoever you use to issue you CAs will notify you of their expiration, so that helps. Just do some as they expire. It's a pain, but we don't use any automation tools. I'm not sure I know of one, for example, that can request/change a certificate for IIS behind a reverse proxy. Maybe some tool can. Internal CA some things can be automated, other things you can set longer lifespans so it's not as bad. Powershell scripts can help.

Reply

[-]

AuroraFireflash@reddit

> Whoever you use to issue you CAs will notify you of their expiration, so that helps. Let's Encrypt is stopping that service as they move towards shorter-lived certs. We're not far off from 7-day certificates being a thing.

Reply

[-]

xfilesvault@reddit

**"I'm not sure I know of one, for example, that can request/change a certificate for IIS behind a reverse proxy."** Yes, that's easy. Use DNS challenge instead of HTTP challenge. I have Posh-ACME set to run weekly to renew certificates. It interacts with the Cloudflare DNS API, and dumps the certificates into a secure file folder. Then you can use the "Centralized Certificate Store" feature of IIS. You just point it to a folder with your certificates. They just need to be named correctly, and IIS will automatically pull them into IIS and use them on your websites. I also have a Powershell script that can update all the certificates automatically for every websites I have in IIS, but Centralized Certificate Store is way easier... no coding required. I also have a Powershell script that updates the certificates for ADFS and in my Citrix Netscaler.

Reply

[-]

redditduhlikeyeah@reddit

I’ll have to look into that.

Reply

[-]

Tx_Drewdad@reddit

ADFS <shudder> I still remember my joy when I turned off my last ADFS instance.

Reply

[-]

disclosure5@reddit

> Are these people referring folks to Let's Encrypt real enterprises? Surprising! This is up there with "Are people really referring folks to Exchange Online to run business email? Surprising!"

Reply

[-]

Far-Mechanic-1356@reddit

I keep a list with the server name with the expiration date of the Certs and put in a calendar reminder 😅

Reply

[-]

Snowmobile2004@reddit

I’m currently working on a POC for Sectigo’s network agent + various ACME clients to manage certs across our tomcat/apache servers (via agent) and nginx/kubernetes (via ACME client). Liking it a lot so far, but we have a long way to go before our org will be fully ready for 90/30d cert renewals.

Reply

[-]

DMGoering@reddit

Don’t wait for them to expire. Change them on what ever schedule you can manage that meets the requirements of your enterprise.

Reply

[-]

Procure@reddit

Keyfactor

Reply

[-]

iSubb@reddit

I use certify the web run task on it for multiple hosts. Works flawlessly.

Reply

[-]

Dependent_House7077@reddit

local acme for in-house certs, ansible to deploy purchased ones.

Reply

[-]

CapTraditional1264@reddit

I think with all the talk about shorter public CA cert validity times - it makes sense to look into reverse proxying, wildcard certs - and automating internal CA functionality. Another option would be to have something like ACME on all servers (with or without that reverse proxy in front).

Reply

[-]

rockuu@reddit

I'm surprised no one mentioned Hashicorp Vault yet. We're using the PKI secrets engine to issue all internal certs.

Reply

[-]

jrandom_42@reddit

Smallstep for internal certs with our own CA, Let's Encrypt for stuff that goes on the internet (with DNS-based domain verification, mostly). Set and forget.

Reply

[-]

POLEatPOSITION@reddit

Own CA = ADCS?

Reply

[-]

420GB@reddit

They specifically said smallstep...

Reply

[-]

jrandom_42@reddit

https://smallstep.com/docs/step-ca/

Reply

[-]

n4txo@reddit

https://certifytheweb.com/ with custom deployment scripts. Is not free though, but the current 59$ for unlimited certificates are worth it if you want a GUI, and manage hundreds.

Reply

[-]

povlhp@reddit

ACME protocol and put pressure on vendors. Soon it will be 97 days max lifetime.

Reply

[-]

Tiwenty@reddit

Wildcards fetched from Letsencrypt with CertManager in the Kube clusters

Reply

[-]

finobi@reddit

In MSP type of operation, NinjaRMM to monitor expiring certs and IT-Glue for documentation.

Reply

[-]

bobo_1111@reddit

It’s likely external certs will change in 2026 to only have 90 day validity down from 1 year. Better up your automation game.

Reply

[-]

kasim0n@reddit

As it hasn't been mentioned yet: You can automate an internal CA with Hashicorp Vault. May take a bit setup effort, but it's a very well designed and flexible tool. Best thing is you can define certificate profiles (called Roles) and give users/groups the permission to create their own certificates with them. This gives a lot of control over the parameters used for the certificates (max lifetime, min key length etc.).

Reply

[-]

FarToe1@reddit

Lets with ACME using DNS01. There's a secondary automated monitor we run on our linux machines that checks any Lets certs it finds so we'll know if anything gets <7d to expiry but it hasn't found any yet. We have a few windows machines too, so we added those to Zabbix manually.

Reply

[-]

memoriesofanother@reddit

We roll an internally managed application that tracks and renews certs automatically with our internal pki as well as external providers via their apis and allows us to download a bundle it's a game changer when you have literally 10k certs in rotation.

Reply

[-]

ScreamingVoid14@reddit

nginx proxy that shows a single good wildcard cert to the world and doesn't lose sleep about the certs on the web servers it is talking to.

Reply

[-]

ronmanfl@reddit

Autowho? We've been trying to find time to get ACME in place for 8 years but we're still managing almost everything manually. Roughly 500 certs in Digi and thousands in our internal CAs.

Reply

[-]

PossibilityBright703@reddit

Sounds like a mess

Reply

[-]

JBu92@reddit

Large enterprise environment, so this setup may not really fit your needs, but the short answer is a CLM (Keyfactor Command, Venafi, AppViewX). 1. Application owners are responsible for their own certificates. 2. All TLS certificates are enrolled/issued via the CLM (both internal CA and the publicly-trusted CA) 3. Expiration notifications are handled via the CLM (in truth, we built our own notification system, but that's a whole other thing; the CLM *can* do notifications but they're rather rudimentary) My experience with KF Command has not been thrilling. I'd really like to try Venafi, which seems like the other big player in the space.

Reply

[-]

PossibilityBright703@reddit

You won’t regret Sectigo. Give them a look

Reply

[-]

kevinmenzel@reddit

Let's Encrypt as much as possible.

Reply

[-]

bbqwatermelon@reddit

So that's the reason for the name *rusty gears turning in head*

Reply

[-]

SeerFear@reddit

One of the best way to deal with it

Reply

[-]

InvokerHere@reddit

Use Let's Encrypt and easy for installation. I use Asphostportal as my provider and they do support it, I can install it easily via control panel.

Reply

[-]

Jacmac_@reddit

We dumped SSLs and use TLSs now.

Reply

[-]

exoxe@reddit

Same, we just enabled TLS 1.0 on all of our servers, now we're living in the future! /s

Reply

[-]

sir_mrej@reddit

You're number one!

Reply

[-]

exoxe@reddit

*I'm* Super Greg???

Reply

[-]

Burgergold@reddit

Same for 1.1

Reply

[-]

sexybobo@reddit

Most of the answers you will get are to use Let's Encrypt and to script ever thing. They will ignore the fact that Let's Encrypt doesn't work with internal domains and the vast majority of devices don't allow updating via scripting. The few pieces of advice I can give is script as much as possible make sure your monitoring triggers at least 14 days before hand and do as many as you can in a batch. It can be a lot more effective updating 50 printer certs at once instead of doing 1 every few days.

Reply

[-]

symcbean@reddit

> They will ignore the fact that Let's Encrypt doesn't work with internal domains That's only an issue if you use a domain internally which is already registered by someone else on the internet. > and the vast majority of devices don't allow updating via scripting (sigh) That's not a significant issue anywhere which requires "100s" of certificates. There's scripting shell-based interactions using expect, web based interactions using browser automation, and that's before considering putting the devices into an isolated vlan bridged with a TLS service...

Reply

[-]

rodder678@reddit

<3 acme-dns for my internal systems! If someone is using domains they don't own for internal use, then not being able to get public CA-signed certs is just one of many issues they have. But even then, whatever internal CA they use, there is a way to script it.

Reply

[-]

jaydizzleforshizzle@reddit

This, often enough putting it behind an nginx proxy with a wildcard cert is good enough.

Reply

[-]

mrjohnson2@reddit

We pay for ZeroSSL because of that.

Reply

[-]

fprof@reddit

dns-01 challenge might help you

Reply

[-]

pdp10@reddit

Let's Encrypt and ACME protocol have been around since 2015. [SCEP](https://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol) is even older. But for most users, the path of least resistance will be to use a reverse HTTP proxy, or a Layer-4 proxy like Stunnel, to terminate TLS.

Reply

[-]

sexybobo@reddit

That great if your only using SSL for web applications. It really doesn't help keep the certs on switches printers time clocks that are used as part of the authentication process for those devices.

Reply

[-]

insignia96@reddit

Although Let's Encrypt isn't going to work on something that isn't resolvable via public DNS servers, I have had really good luck using it for internal certs via ACME-DNS and DNS-01 validation. ACME via step-ca can be a big help to cover a lot of the remaining use cases.

Reply

[-]

ForTenFiveFive@reddit

If you don't mind proxying your external facing sites then Cloudflare will let you use what they call Origin Certs which last for a decade or more. That way you can do them once and be done with it.

Reply

[-]

DayFinancial8206@reddit

I'm in a fairly large company and we still do some certs manually. Cloudflare is a great solution for replacing most external certificates and if you're in a position to delegate internal traffic to route externally through Cloudflare, I would investigate that as an option. Internally we just sign a few staggered throughout the year and give them to the application champions for installation, generally not too painful. Lets Encrypt is a good option, I haven't tried it myself and have heard it can be a real pain to set up.

Reply

[-]

me1337@reddit

acme.sh and/or cloudflare origin server certs (15 yr ones)

Reply

[-]

spobodys_necial@reddit

It's the wild west so there's somewhere north of 400 SSL certificates active in the network and they're all manually done. We use AppViewX to inventory them and have just started using it to automate where we can. Cloud team is looking at using it as an ACME proxy for their stuff while we add device integrations for on prem deployments. Our end goal is to give the wider IT department access to their own certificates in AppViewX with deployments already set up and they just push the buttons to go without us having to get involved every time, or even better, an API that they can hit to automate the whole thing. But it's a large network and there's a lot of things that need to be done to get there.

Reply

[-]

michaelpaoli@reddit

Automate as much as feasible. Notably including tracking, monitoring, installation/updating, etc. And be sure to track all certs issued - generally cover this via policy and enforcement thereof. And include tracing where they get installed, responsible group(s)/department(s)/persons and relevant contact info., etc. because scanning and such won't find 'em all - though you'll want to do that too, as that will give you pretty good monitoring on *most* of them. As for monitoring/reporting, I quite like my [nmap\_cert\_scan\_summarize](https://www.mpaoli.net/~michael/bin/nmap_cert_scan_summarize). E.g.: $ (TZ=GMT0 export TZ; ports=443; hosts='www.reddit.com www.google.com www.example.com'; nmap -v -Pn -r -sT -p "$ports" --resolve-all --script=ssl-cert $hosts 2>&1; nmap -v -6 -Pn -r -sT -p "$ports" --resolve-all --script=ssl-cert $hosts 2>&1) | nmap_cert_scan_summarize expires SAN_or_CN: IP port [host] ... expires IP port [host] SANorCN 2025-04-11T23:59:59Z 151.101.73.140 443 www.reddit.com *.reddit.com,reddit.com 2025-04-28T08:37:54Z www.google.com: 142.250.189.164 443 www.google.com 2607:f8b0:4005:80c::2004 443 www.google.com 2026-01-15T23:59:59Z *.example.com,example.com: 23.192.228.68 443 www.example.com 23.192.228.85 443 www.example.com 2600:1406:3a00:21::173e:2e65 443 www.example.com 2600:1406:3a00:21::173e:2e66 443 www.example.com $

Reply

[-]

MIS_Gurus@reddit

Certifytheweb. Windows based let's encrypt, use it all the time

Reply

[-]

OhMyInternetPolitics@reddit

I turn on TLS and disable SSL.

Reply

[-]

Substantial_Hold2847@reddit

self signed certs and each department or app owner is responsible for their own shit.

Reply

[-]

badaboom888@reddit

badly. but with acme

Reply

[-]

rickestrada@reddit

Acme and certbot on cron jobs 👍🏻

Reply

[-]

SecurePackets@reddit

Venafi TLS Protect Discovery, automation, alerting, reporting….

Reply

[-]

SecrITSociety@reddit

I've automated ours using CertifyTheWeb

Reply

[-]

PAiN_Magnet@reddit

Just wait, Google is pushing 90 Day MAX certificates..

Reply

[-]

adamixa1@reddit

i am using Nginx Proxy Manager + Let's Encrypt.Giving out SSL like Oprah

Reply

[-]

Disturbed_Bard@reddit

Lets encrypt wherever I can implement it. There are quite a few ways to do it. On Window's web server's, there's a script you run. Most other services I use a Reverse Proxy setup on a lightweight Linux server.

Reply

[-]

broadband9@reddit

I use my free account on autoping.net just to keep track of the external ssl renewals for my websites but I use Zabbix for internal CA ones.

Reply

[-]

byte43@reddit

I think automation is a must at this point. If you look at some of the roadmaps, the certificate maximum validity periods keep shrinking.

Reply

[-]

UnsuspiciousCat4118@reddit

You don’t manage it without automating it. Why would you try?

Reply

[-]

Mike22april@reddit

There are various free and commercial solutions to help discover, monitor and automate server and client certificate enrollment and configuration. The most common are: Lets Encrypt (ie ACME) doesnt do discovery etc, Smallstep, AppViewX, Venafi, KeyFactor, and KeyTalk To each their own, depending on budget, expected service level, etc

Reply

[-]

Hoggs@reddit

Just to clear up your terminology - you're talking about Certificates, or more specifically, Public Key Infrastructure (PKI) certs. SSL is an encryption protocol that uses certificates to establish trust. Also worth noting that SSL has been deprecated in favor of TLS. Certs are not exclusive to SSL/TLS, they can be used for anything that requires validating identity, such as Wifi, VPNs, and remote access protocols like SSH/WinRM.

Reply

[-]

MelonOfFury@reddit

ACME for all of our certs, then just approving for the obstinate ones who manual everything

Reply

[-]

serverhorror@reddit

ACME (same protocol that letsencrypt uses, you can quite easily use it internally with your CA) The open source version is called EJBCA. We renew most certs after 7 days for servers. 50K end user devices use these certificates (90d). Hundreds, if not thousands, if internal hostnames are secured with that. I haven't thought about certificates in years. ACME _fully_ solves this problem.

Reply

[-]

jaaplaya@reddit

We are moving to Sectigo, they have integrations directly with F5 and Apache/IIS that make automating ssl updates easy.

Reply

[-]

zakabog@reddit

Let's encrypt with certbot, and Zabbix monitoring to connect to each service and check the certs, once a cert expiration crosses the thresholds we send out alerts and look into it.

Reply

[-]

Dolapevich@reddit

Study and deploy CERTs using Let's encrypt DNS01 challenge (instead of http challenge). For your own CA, [take a look to this](https://github.com/cloudflare/cfssl)

Reply

[-]

MashPotatoQuant@reddit

What happened to all the comments here

Reply

[-]

jaysea619@reddit

I message the dude in the noc to buy me one. We also use XCA

Reply

[-]

slash-32@reddit

Poorly

Reply

[-]

Ashtoruin@reddit

You automate it using one of many tools? At home I use acme w/ letsencrypt. At work we use vault.

Reply

[-]

Sem1r@reddit

We do them manually or with letsencrypt and monitor all of them to get alerts in advance

Reply

[-]

sryan2k1@reddit

LetsEncrypt for anything public that supports it, GoDaddy for things that don't. Internally we run ACME for anything that supports it, and a windows SubCA to issue traditional certs.

Reply

[-]

Roland_Bodel_the_2nd@reddit

For any stuff in GCP, GCP internal tooling handles it for us. For any stuff that is public, Let's Encrypt. We have a few one-offs left from an internal easyrsa local CA, those are manual but we have very few and I can still pick a duration!

Reply

[-]

ntwrkmstr@reddit

Setting aside how to automate it, as that is well known and documented including challenges in internal zones which is not what the Op is really asking under the surface. We use a mix of internal and external CAs depending on the service. These systems are registered in our info sec asset system with a flag for what CA is in use (internal / external / LE) and the primary URL. Each system is then monitored in our normal network monitoring system that fires off alerts when the SSL is within 14 days of expiry and a ticket created. We review the service and change the CA if policies mean it can be changed, or renew it if it can't. We then get a report out of this each year ahead of our pen test and ensure that everything is aligned. So yes, it is more manual, but we have a register to audit against and some hooks to catch things as they change. DNS is controlled by a small team, so new services can't just be spun up and part of that flow is to add to these systems

Reply

[-]

Longjumping_Gap_9325@reddit

ACME against Sectigo with an OV setup. This way we don't run into the new certificate rate limits you may encounter with Let's Encrypt.

Reply

[-]

tylerwatt12@reddit

Just automate as much as I can. We still buy wildcard certs that last a year. I have a guide I pull up every year that outlines the steps to replace certs. Unfortunately if I were to completely automate it, i would spend more time fixing the automation than replacing certs once a year. We have a lot of oddball nonstandard services too.

Reply

[-]

jstar77@reddit

I feel your pain. We have lots of appliances that have no method for automating SSL renewal it's painful.

Reply

[-]

djjsin@reddit

its a pain in the ass. i used to be doing it all manually, but recently we signed up for digicert one to replace our internal PKI system...and are hoping to get to the point one day where its all automated. But this is going way down the line. But for now this digicert one platform is doing its job. We got scanners in our environment scanning everything to give us reports of whats expiring soon. and we soley use digicert for our external certificates. Now with pki as a service, they are doing our internal certs too.

Reply

[-]

lenicalicious@reddit

Depending on your environment there are tools like AppviewX that can automate everything. It can be a bit of a project setting up and creating service accounts but is ideally what you are looking for.

Reply

[-]

swimmityswim@reddit

Anything cloud hosted i try to use the cloud CA generated cert. GTS/AWS certs for serverless and load balancers. Anything directly on a host i try to certbot and let’s encrypt as much as possible.

Reply

[-]

Mjrdr@reddit

Automation of SSL certs!? Blasphemy!!

Reply

[-]

pirate8991@reddit

Let's encrypt with certbot as much as possible

Reply

Reply to Post

160 Comments