30 open-source projects similar to caddyserver/certmagic, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Certmagic alternative.
Certd is a self-hosted platform that automates the full lifecycle of SSL certificates using the ACME protocol. It handles certificate application, renewal, and deployment across multiple domains through a pipeline-driven workflow engine, with DNS challenge orchestration and multi-cloud deployment capabilities. The platform distinguishes itself through its configurable pipeline system, which allows users to build multi-step workflows that can pass outputs between tasks, execute custom scripts, and handle errors. It supports multi-tenant access control with role-based permissions, encrypted cre
Lego is an ACME certificate manager and lifecycle tool used to automate the request, renewal, and revocation of SSL and TLS certificates. It implements the ACME protocol to communicate with compliant certificate authorities and manages the full issuance process, including account registration and private key rollovers. The project distinguishes itself through extensive DNS automation, utilizing a provider-based abstraction to solve DNS-01 challenges across various third-party DNS providers. It supports advanced verification workflows such as CNAME-based challenge delegation, DNS zone discover
This project is a toolkit for creating and managing X.509 certificate authorities, providing tools for the issuance, signing, and management of TLS certificates and private keys. It includes a command-line utility for generating certificate signing requests, bundling certificate chains, and parsing PEM or DER files. The system features an HTTP API server that allows for remote signing and verification of certificates using JSON requests and responses. This architecture supports automated certificate provisioning and includes a signing proxy to forward requests to remote backend services. The
This project is a public key infrastructure management system designed to automate the issuance, renewal, and revocation of X.509, TLS, and SSH certificates. It functions as a machine identity provider and certificate authority, enabling the establishment of private PKI to secure inter-service communication and remote access. The system distinguishes itself through hardware-bound identity attestation, which ties cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration. It supports a wide array of identity verification mechanisms, including OIDC, cloud-provider
Dehydrated is a shell-script ACME client that automates the lifecycle of TLS certificates from certificate authorities like Let's Encrypt. It implements the ACME protocol entirely in POSIX shell script with no external dependencies beyond standard Unix tools, relying on OpenSSL for all cryptographic operations including key generation, signing, and certificate parsing. The tool manages account keys, certificates, and configuration as plain files on disk, maintaining certificate metadata and account status in simple text files without a database. It delegates domain validation challenges to us
acme.sh is a shell-based certificate manager and ACME SSL certificate client. It automates the issuance, renewal, and installation of digital security certificates using a portable Unix shell script to remove dependencies on heavy runtime environments. The project specializes in automated domain ownership verification through a DNS challenge automator that integrates with provider APIs. It supports the generation of diverse certificate types, including wildcard certificates and issuance based on pre-existing certificate signing requests. The tool covers the full certificate lifecycle, includ
Salvo is a comprehensive Rust web framework for building asynchronous HTTP servers and web applications. It features a hierarchical web router that uses a tree-based structure to map requests to handlers and an asynchronous middleware pipeline based on the onion model for request and response pre- and post-processing. The framework is distinguished by its native support for modern network protocols, including a QUIC-based HTTP/3 implementation alongside HTTP/1 and HTTP/2. It includes an integrated OpenAPI documentation generator that extracts schemas directly from handler signatures to produc
Automate SSL/TLS certificates on Windows with ease
Maddy is a modular mail server that assembles a complete email system by connecting small, single-purpose modules through a declarative configuration file. Rather than a monolithic stack, it lets operators compose message processing, storage, authentication, and security enforcement from interchangeable building blocks, with each module handling a specific function like receiving SMTP connections, verifying credentials, or applying policy checks. The server distinguishes itself through its flexible authentication and security architecture. It delegates user verification to external systems in
This project is a command-line tool for managing public key infrastructure and digital identities. It provides a comprehensive suite for X.509 certificate lifecycle management, including the generation, signing, renewal, and revocation of certificates and signing requests. The tool distinguishes itself through specialized security capabilities such as binding cryptographic credentials to TPMs and HSMs for hardware-backed identity attestation. It also provides dedicated support for machine identity security, using short-lived SSH certificates and mTLS to secure non-human workloads. Broad capa
This project is a Kubernetes controller that automates the issuance, renewal, and lifecycle management of TLS certificates. It functions as a native extension to the cluster API, using custom resource definitions and reconciliation loops to maintain the desired state of certificates and trust bundles across distributed services. By integrating directly with the cluster's admission control and secret storage systems, it ensures that cryptographic identities are consistently provisioned and available for application workloads. The project distinguishes itself through its extensive support for a
Allinssl is a multi-platform certificate manager and ACME automator designed to handle the full lifecycle of security certificates. It provides a web-based management interface to orchestrate the issuance, renewal, and deployment of certificates across various servers and cloud environments. The system distinguishes itself through an orchestration engine that pushes certificates to diverse targets, including web application firewalls, server control panels, and remote hosts. It automates domain ownership verification using DNS challenges across multiple providers and employs an event-driven w
Mox is a self-hosted email server that runs as a single compiled Go binary, handling the full lifecycle of sending and receiving email through SMTP, IMAP4rev2, and a built-in webmail application. It is designed to be operated without external dependencies or runtime plugins, with all mail services — including spam filtering, queue management, and web interfaces for administration and account management — contained in one executable. The server distinguishes itself through automated TLS certificate management via ACME, DNS-based autoconfiguration for email clients, and file-based configuration
userver is a comprehensive C++ backend application platform and asynchronous framework designed for building scalable microservices. It provides a high-performance execution environment for deploying services that communicate via gRPC and HTTP using a middleware-based request pipeline. The platform distinguishes itself through a distributed service orchestration toolset that manages shared state, distributed locking, and dynamic configuration updates without requiring process restarts. It utilizes a coroutine-based asynchronous execution model and event-loop network I/O to handle high-concurr
RoadRunner is a high-performance application server and process manager designed to serve PHP applications using a persistent worker model. It eliminates bootload overhead and initialization time by keeping application processes alive between requests, acting as a protocol-agnostic proxy that routes traffic to a pool of supervised workers. The server is built with a plugin-based modular architecture, allowing it to be extended with custom Go plugins and compiled into tailored binaries. It distinguishes itself by providing a unified execution model for a wide array of communication protocols,
This project is a service mesh platform designed to manage, secure, and observe service-to-service communication within Kubernetes clusters. It functions as a control plane that orchestrates transparent sidecar proxies, which intercept and manage network traffic to provide reliable connectivity for microservices. By automating the injection of these proxies, the platform ensures that infrastructure-level policies are applied consistently across all workloads without requiring manual configuration changes. The platform distinguishes itself through its focus on zero-trust security and cross-clu
cert-manager is a Kubernetes TLS certificate manager and cluster add-on that automates the issuance and renewal of TLS certificates. It functions as a certificate lifecycle automator, managing certificates as native Kubernetes resources to secure internal and external network traffic. The project includes an ACME protocol client to automate certificate requests and validations from providers. It utilizes a controller to synchronize the desired state of certificates with responses from various certificate authorities. The system covers certificate provisioning from external issuers and vault
Boulder is a production-grade implementation of the ACME (Automated Certificate Management Environment) protocol, built around the same infrastructure that powers Let's Encrypt. It functions as a full certificate authority that automates the issuance, renewal, and revocation of TLS certificates, supporting multiple key algorithms including RSA, ECDSA, and experimental post-quantum ML-DSA keys. The project distinguishes itself through its multi-algorithm PKI hierarchy, which builds separate RSA and ECDSA root chains with cross-signing to support dual-algorithm trust paths. It includes a CRL-ba
This project is a Docker-based Nginx reverse proxy manager designed to automate the deployment of HTTPS for web applications. It functions as a gateway that acquires and renews security certificates via Let's Encrypt and proxies incoming traffic to backend services. The system distinguishes itself by automatically discovering web services running in Docker containers to eliminate manual domain configuration. It manages security certificates through an automated process and can expose these certificates to other applications via shared volumes. The tool covers traffic management through load
sing-box is a management script and universal proxy orchestrator designed to install, configure, and manage network proxy servers. It provides a command-line interface to deploy diverse proxy protocols—including TUIC, Trojan, and Hysteria2—within a single network engine. The project features an automated setup tool for the REALITY protocol to obfuscate network traffic and a system for provisioning and renewing security certificates to ensure encrypted connections. It also includes a Linux network optimizer to implement BBR congestion control and other system-level tweaks for improved throughp
Sandstorm is an open-source platform that packages and runs web applications in security-hardened sandboxes on a personal server, functioning as a self-hosted web app operating system. It provides a curated app store where users discover and install sandboxed web applications with one-click ease, while each application runs in an isolated container that uses Linux kernel security features to separate it from the host and other apps. The platform includes a centralized authentication layer so users sign in once and gain access to all installed applications without managing separate accounts per
Stalwart is a self-hosted email and collaboration infrastructure that provides an integrated mail server supporting SMTP, IMAP, POP3, and JMAP protocols. It functions as a comprehensive communication hub, combining email hosting with a collaboration server for shared calendars, contacts, and files. The system distinguishes itself through a distributed architecture that uses peer-to-peer cluster coordination to ensure high availability and fault tolerance. It features a built-in security suite that implements an S/MIME and OpenPGP email gateway alongside automated TLS certificate provisioning
Dramatiq is a distributed task queue and workload manager used to offload function execution to background workers. It functions as an asynchronous task orchestrator that enables the distribution of computational tasks across a cluster using a pluggable transport layer supporting RabbitMQ and Redis. The framework provides specialized tools for complex task orchestration, including the ability to link background jobs into sequences, pipelines, and barriers. It further manages distributed concurrency through the use of shared mutexes, rate limiters, and exponential backoff retries to prevent re
Rueidis is a high-performance Redis client library for Go that provides a type-safe and asynchronous interface for interacting with Redis servers. It includes a full implementation of the Redis serialization protocol and a dedicated connection manager to handle pooling, multiplexing, and automatic pipelining. The library is distinguished by its support for RDMA connectivity to reduce latency and CPU overhead. It features a distributed lock manager that implements majority-based locking and optimistic concurrency control, as well as client-side caching with invalidation signals to minimize net
dnmp is a containerized web development environment that provisions a full LNMP stack consisting of Nginx, MySQL, PHP, and Redis. It serves as a management system for coordinating web server routing, language runtime versions, database administration, and SSL certificate provisioning within Docker containers. The project distinguishes itself through a comprehensive PHP runtime manager that allows for switching between multiple language versions and managing extensions in isolated environments. It includes an automated SSL certificate manager that uses webroot validation to provision and renew
Agenda is a persistent background job scheduler and distributed task runner for Node.js applications. It functions as a cron job manager and task queue that ensures background processes survive application restarts by storing job state and metadata in a database. The system coordinates execution across multiple worker instances using distributed locking mechanisms to prevent duplicate processing. It supports flexible scheduling via cron expressions or specific dates and includes a pluggable storage interface for backends such as MongoDB, PostgreSQL, and Redis. The platform provides controls
Redsync is a distributed lock manager and Go Redis client extension designed to ensure exclusive access to shared resources. It implements mutual exclusion across multiple processes by using a Redis backend to coordinate synchronization and prevent race conditions in distributed environments. The library maintains lock validity through quorum-based consensus, requiring successful writes to a majority of independent Redis nodes. It utilizes Lua-scripted atomic operations for acquisition and release, while employing value-based ownership validation and time-to-live expiration to prevent deadloc
Caddy is an extensible, modular web server platform designed for high-performance traffic management and automated security. At its core, it functions as a dynamic HTTP gateway that handles request routing, static asset delivery, and reverse proxying through a chain of configurable handler modules. The system is built on a modular architecture that allows developers to extend server functionality by registering custom components, all managed through a unified lifecycle and provisioning framework. What distinguishes Caddy is its focus on automated infrastructure and zero-downtime operations. I
Vault is a centralized secrets management platform designed to secure, store, and control access to sensitive credentials such as API keys, passwords, certificates, and encryption keys. At its core, the system employs a barrier-based cryptographic sealing mechanism that requires an unseal process to decrypt internal storage, ensuring that sensitive data remains protected. It provides identity-based access control to manage granular permissions across distributed infrastructure, effectively centralizing security policies and authentication for both human and machine workloads. What distinguish
BaoTa is a web-based Linux server control panel and system administration dashboard designed for managing hosting environments and system resources. It provides a graphical interface to translate administrative actions into system-level configurations, allowing users to manage Linux servers and web hosting stacks without relying solely on the command line. The platform distinguishes itself through AI-driven server operations, utilizing artificial intelligence for performance analysis and the execution of maintenance tasks via natural language commands. It supports multi-node orchestration, en