# caddyserver/certmagic

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/caddyserver-certmagic).**

5,568 stars · 334 forks · Go · Apache-2.0

## Links

- GitHub: https://github.com/caddyserver/certmagic
- Homepage: https://pkg.go.dev/github.com/caddyserver/certmagic?tab=doc
- awesome-repositories: https://awesome-repositories.com/repository/caddyserver-certmagic.md

## Topics

`acme` `automatic-https` `go` `golang` `https` `letsencrypt` `tls` `tls-certificate`

## Description

Certmagic is a Go library for automating the issuance and renewal of TLS certificates. It functions as an automatic HTTPS provisioner and ACME client that handles the full lifecycle of certificates to ensure secure connectivity without manual intervention.

The library is distinguished by its support for on-demand TLS provisioning, which generates certificates dynamically during the TLS handshake based on the server name. It also provides automation for wildcard certificates through DNS challenge verification and integrates with the ZeroSSL API for certificate acquisition.

The project covers a broad range of capabilities, including ACME challenge resolution, automated renewal scheduling, and certificate revocation. It manages data persistence through pluggable storage backends and implements distributed locking and synchronization to coordinate certificate management across server clusters. Additional functionality includes OCSP stapling, in-memory caching, and the generation of TLS configurations for custom servers.

## Tags

### Security & Cryptography

- [TLS Certificate Management](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/tls-certificate-management.md) — Provides a comprehensive system for the automated provisioning, renewal, and lifecycle management of TLS security certificates.
- [HTTP Challenge Resolutions](https://awesome-repositories.com/f/security-cryptography/certificate-automation-protocols/automated-certificate-issuance/http-challenge-resolutions.md) — Implements HTTP challenge resolution to automate domain ownership verification for certificate authorities. ([source](https://github.com/caddyserver/certmagic/blob/master/httphandlers_test.go))
- [On-Demand Certificate Issuance](https://awesome-repositories.com/f/security-cryptography/certificate-automation-protocols/automated-certificate-issuance/on-demand-certificate-issuance.md) — Provides on-demand TLS provisioning to generate certificates dynamically during the TLS handshake. ([source](https://github.com/caddyserver/certmagic#readme))
- [Certificate Lifecycle Management](https://awesome-repositories.com/f/security-cryptography/certificate-lifecycle-management.md) — Manages the complete lifecycle of security certificates, including issuance, rotation, and renewal. ([source](https://github.com/caddyserver/certmagic/blob/master/solvers_test.go))
- [Certificate Renewal Managers](https://awesome-repositories.com/f/security-cryptography/certificate-renewal-managers.md) — Automates the full lifecycle of security certificates, including the maintenance and renewal phase. ([source](https://github.com/caddyserver/certmagic/blob/master/async_test.go))
- [Domain Ownership Verification](https://awesome-repositories.com/f/security-cryptography/dns-security/authenticated-record-retrievers/domain-ownership-verification.md) — Proves domain control by responding to ACME challenges via DNS records and temporary HTTP servers. ([source](https://github.com/caddyserver/certmagic/blob/master/solvers.go))
- [DNS and HTTP Challenges](https://awesome-repositories.com/f/security-cryptography/identity-domain-management/dns-and-http-challenges.md) — Implements automated domain ownership verification using HTTP and DNS challenges to obtain ACME certificates.
- [Automatic Certificate Provisioning](https://awesome-repositories.com/f/security-cryptography/network-infrastructure-security/web-network-security/security-https/automatic-certificate-provisioning.md) — Automatically obtains and renews TLS certificates to enable secure HTTPS serving with automatic redirects.
- [Certificate Data Persistence](https://awesome-repositories.com/f/security-cryptography/ssl-certificate-managers/certificate-data-persistence.md) — Persists certificates and private keys to a backend for reliable retrieval during TLS handshakes. ([source](https://github.com/caddyserver/certmagic/blob/master/config_test.go))
- [ACME Certificate Clients](https://awesome-repositories.com/f/security-cryptography/tls-traffic-encryption/acme-certificate-clients.md) — Implements an ACME client to automate the acquisition and management of TLS certificates from compliant authorities.
- [Wildcard Certificate Issuance](https://awesome-repositories.com/f/security-cryptography/certificate-automation-protocols/automated-certificate-issuance/wildcard-certificate-issuance.md) — Automates the issuance of wildcard certificates using DNS challenge verification. ([source](https://github.com/caddyserver/certmagic#readme))
- [Certificate Authority API Integrations](https://awesome-repositories.com/f/security-cryptography/certificate-lifecycle-management/programmatic-certificate-management-apis/certificate-authority-api-integrations.md) — Integrates with the ZeroSSL API to automate certificate acquisition and domain verification. ([source](https://github.com/caddyserver/certmagic/blob/master/zerosslissuer.go))
- [Certificate Revocations](https://awesome-repositories.com/f/security-cryptography/certificate-revocations.md) — Requests the invalidation of compromised or unnecessary certificates from the certificate authority. ([source](https://github.com/caddyserver/certmagic/blob/master/README.md))
- [Certificate Storage Backends](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/certificate-storage-backends.md) — Synchronizes certificate data across a cluster using shared storage backends like databases or KV stores. ([source](https://github.com/caddyserver/certmagic/wiki/Storage-Implementations))
- [OCSP Response Caching](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/tls-certificate-management/certificate-revocation-validation/ocsp-response-caching.md) — Fetches and caches pre-signed OCSP responses to improve certificate revocation check performance and privacy.
- [HTTPS Enforcements](https://awesome-repositories.com/f/security-cryptography/network-infrastructure-security/web-network-security/security-https/https-enforcements.md) — Automatically redirects incoming unencrypted HTTP traffic to secure HTTPS connections. ([source](https://github.com/caddyserver/certmagic#readme))
- [On-Demand TLS Issuance](https://awesome-repositories.com/f/security-cryptography/network-infrastructure-security/web-network-security/security-https/on-demand-tls-issuance.md) — Generates and installs TLS certificates dynamically during the handshake based on the requested server name.
- [TLS Certificate Configuration](https://awesome-repositories.com/f/security-cryptography/tls-certificate-configuration.md) — Generates ready-to-use TLS configurations for use in custom listeners or servers. ([source](https://github.com/caddyserver/certmagic/blob/master/certmagic.go))
- [Certificate Caches](https://awesome-repositories.com/f/security-cryptography/tls-certificate-management/dynamic-mitm-certificate-generators/certificate-caches.md) — Indexes active certificates in memory by domain name to accelerate the TLS handshake process.
- [TLS Certificate Selection Logic](https://awesome-repositories.com/f/security-cryptography/tls-certificate-selection-logic.md) — Determines the correct certificate to present during a handshake based on the Server Name Indication. ([source](https://github.com/caddyserver/certmagic/blob/master/config.go))
- [Wildcard Certificate Management](https://awesome-repositories.com/f/security-cryptography/wildcard-certificate-management.md) — Automates the issuance and management of wildcard certificates using DNS challenge verification.

### System Administration & Monitoring

- [Certificate Renewal Schedulers](https://awesome-repositories.com/f/system-administration-monitoring/task-schedulers/windows-task-scheduler-interactions/certificate-renewal-schedulers/certificate-renewal-schedulers.md) — Monitors certificate expiration dates and automatically triggers the issuance process to prevent service interruptions.

### Data & Databases

- [Pluggable Storage Backends](https://awesome-repositories.com/f/data-databases/pluggable-storage-backends.md) — Provides a pluggable key-value interface for persisting certificates and metadata via file systems or databases.

### DevOps & Infrastructure

- [Background Job Queues](https://awesome-repositories.com/f/devops-infrastructure/background-job-queues.md) — Manages asynchronous certificate renewal tasks with concurrency limits and duplicate request prevention.
- [Distributed Task Coordination](https://awesome-repositories.com/f/devops-infrastructure/distributed-lock-coordination/distributed-task-coordination.md) — Synchronizes operations across a cluster using shared locks to prevent duplicate work during certificate issuance. ([source](https://github.com/caddyserver/certmagic/blob/master/storage.go))
- [Distributed Locks](https://awesome-repositories.com/f/devops-infrastructure/distributed-locks.md) — Uses lease-based synchronization in shared storage to prevent duplicate certificate issuance across server clusters.

### Networking & Communication

- [DNS Zone Discovery](https://awesome-repositories.com/f/networking-communication/dns-zone-discovery.md) — Identifies the authoritative DNS zone for a domain to verify ownership for security certificates. ([source](https://github.com/caddyserver/certmagic/blob/master/dnsutil_test.go))
- [Zone Apex Identification](https://awesome-repositories.com/f/networking-communication/dns-zone-discovery/zone-management/zone-apex-identification.md) — Determines the root zone for a domain by recursing through labels until a Start of Authority record is found. ([source](https://github.com/caddyserver/certmagic/blob/master/dnsutil.go))

### Software Engineering & Architecture

- [Asynchronous Task Managers](https://awesome-repositories.com/f/software-engineering-architecture/asynchronous-task-managers.md) — Coordinates concurrent background operations and non-blocking task execution for certificate management. ([source](https://github.com/caddyserver/certmagic/blob/master/async.go))

### Web Development

- [HTTPS Servers](https://awesome-repositories.com/f/web-development/web-servers/https-servers.md) — Implements an HTTPS server that handles automatic certificate management and HTTP-to-HTTPS redirects. ([source](https://github.com/caddyserver/certmagic/blob/master/certmagic.go))

### Part of an Awesome List

- [Security And Privacy](https://awesome-repositories.com/f/awesome-lists/security/security-and-privacy.md) — Automatic HTTPS and TLS certificate management.
