30 open-source projects similar to certbot/certbot, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Certbot alternative.
This project is a public key infrastructure management system designed to automate the issuance, renewal, and revocation of X.509, TLS, and SSH certificates. It functions as a machine identity provider and certificate authority, enabling the establishment of private PKI to secure inter-service communication and remote access. The system distinguishes itself through hardware-bound identity attestation, which ties cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration. It supports a wide array of identity verification mechanisms, including OIDC, cloud-provider
Vault is a centralized secrets management platform designed to secure, store, and control access to sensitive credentials such as API keys, passwords, certificates, and encryption keys. At its core, the system employs a barrier-based cryptographic sealing mechanism that requires an unseal process to decrypt internal storage, ensuring that sensitive data remains protected. It provides identity-based access control to manage granular permissions across distributed infrastructure, effectively centralizing security policies and authentication for both human and machine workloads. What distinguish
mkcert is a command-line utility designed to simplify local development by generating and managing locally-trusted development certificates. It creates a unique, self-signed root certificate authority on the local machine, which serves as a trusted source for issuing development credentials. By automating the generation of these certificates, the tool enables secure encrypted connections that browsers and operating systems accept without security warnings. The utility distinguishes itself by automatically configuring local trust stores, programmatically injecting the generated root certificat
This project is a command-line interface that bridges local development workflows with remote platform services. It functions as a terminal-based platform client, enabling users to manage repositories, issues, and pull requests directly from their command line through authenticated API interactions. The tool provides a modular environment that supports custom binary extensions and command aliases, allowing developers to tailor their terminal experience to specific project needs. Beyond standard repository management, the tool serves as a remote development manager, offering capabilities to pr
Airflow is a platform for programmatically authoring, scheduling, and monitoring complex data pipelines. It functions as a workflow automation engine that manages the lifecycle of recurring business processes by executing code-defined task dependencies. By representing workflows as directed acyclic graphs, the system ensures that task execution order and data flow are explicitly defined and reliably maintained across distributed computing environments. The platform distinguishes itself through a highly modular, provider-based architecture that decouples core orchestration logic from external
acme.sh is a shell-based certificate manager and ACME SSL certificate client. It automates the issuance, renewal, and installation of digital security certificates using a portable Unix shell script to remove dependencies on heavy runtime environments. The project specializes in automated domain ownership verification through a DNS challenge automator that integrates with provider APIs. It supports the generation of diverse certificate types, including wildcard certificates and issuance based on pre-existing certificate signing requests. The tool covers the full certificate lifecycle, includ
cert-manager is a Kubernetes TLS certificate manager and cluster add-on that automates the issuance and renewal of TLS certificates. It functions as a certificate lifecycle automator, managing certificates as native Kubernetes resources to secure internal and external network traffic. The project includes an ACME protocol client to automate certificate requests and validations from providers. It utilizes a controller to synchronize the desired state of certificates with responses from various certificate authorities. The system covers certificate provisioning from external issuers and vault
This project is a Kubernetes controller that automates the issuance, renewal, and lifecycle management of TLS certificates. It functions as a native extension to the cluster API, using custom resource definitions and reconciliation loops to maintain the desired state of certificates and trust bundles across distributed services. By integrating directly with the cluster's admission control and secret storage systems, it ensures that cryptographic identities are consistently provisioned and available for application workloads. The project distinguishes itself through its extensive support for a
nginxconfig.io is a web-based NGINX configuration generator designed to build and optimize server configuration files through a visual interface. It functions as a management tool to help avoid manual syntax errors when defining server blocks. The project provides specialized utilities for implementing Gzip and Brotli compression, configuring caching strategies, and managing the deployment and renewal of SSL certificates. It also includes a reverse proxy configurator for defining routing rules and backend application server mappings to distribute network traffic. Additional capabilities cove
Mac-CLI is a collection of terminal commands and utilities designed for automating system management, hardware monitoring, and software configuration on macOS. It serves as a developer utility and automation tool for manipulating files, managing version control, and auditing installed packages from the command line. The project provides hardware monitoring capabilities to track real-time battery health, CPU temperature, and fan speeds. It also includes system automation tools for managing power states, disk usage, and network settings through a unified interface. The utility covers several f
Powerline is a statusline and prompt generation framework designed to provide consistent visual information across terminal shells, text editors, and multiplexers. It functions as a configuration-driven customization engine that allows users to define themes, color schemes, and dynamic segment layouts to maintain a cohesive interface across diverse command-line environments. The system utilizes a persistent background daemon to manage state and rendering logic, which offloads processing tasks to minimize resource consumption and ensure high responsiveness across multiple active application in
gopass is a terminal-based password manager and GPG secret store used for generating, storing, and retrieving encrypted credentials. It functions as a collaborative secret manager that encrypts data using GPG or age and synchronizes it across devices and teams using Git. The system distinguishes itself by treating version control repositories as the primary storage backend, enabling secure secret sharing and version history for credentials. It utilizes a hierarchical directory structure to organize secrets on the filesystem and supports multi-store mounting to combine multiple independent rep
This project provides a command-line interface for managing the lifecycle of applications from the Apple App Store. It functions as a package manager for macOS, enabling users to search for software, install new applications, and maintain existing installations directly through terminal commands. The tool distinguishes itself by wrapping private system APIs to perform store operations that are typically restricted to the graphical user interface. It integrates with the operating system to handle administrative privilege elevation, allowing for secure, automated modifications to protected appl
Scoop is a command-line package manager and installer for Windows. It serves as a developer environment orchestrator designed to automate the installation, updating, and removal of software packages through a centralized repository of manifests. The project functions as a portable application distributor, deploying software using compressed archives rather than traditional Windows installers. This approach avoids graphical installation wizards and registry pollution by utilizing an isolated directory structure and shim-based execution to manage application binaries. The system includes capab
s3cmd is a command-line client for Amazon S3 and S3-compatible cloud storage services. It provides a unified terminal interface for managing buckets and objects, transferring files, and synchronising directories. All operations are performed over HTTPS with HMAC-SHA256 request signing and TLS encryption to secure data in transit. The tool supports incremental transfers using S3 ETags, so only new or modified files are sent during sync. Large files are handled with multipart upload chunking, reducing the impact of failures and improving throughput. Directory synchronisation works recursively w
Cryptomator is a client-side cloud encryption tool and cross-platform vault manager. It provides a transparent encryption layer that encrypts files and folder structures locally before they are uploaded to a cloud storage provider. The software creates virtual encrypted drives that mount encrypted vaults, allowing users to interact with their data as if it were on a physical disk. It supports the management of multiple independent encrypted containers, each protected by a unique password. The project covers data privacy through directory structure obfuscation and filename encryption to hide
Fast and powerful SSL/TLS scanning library.
Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platfor
Amass is an attack surface management tool designed to identify, map, and inventory an organization's internet-facing digital assets. It functions as a security asset discovery engine that systematically expands an organization's known infrastructure footprint through recursive domain name resolution and the collection of intelligence from diverse public data sources. The platform distinguishes itself by utilizing a graph-based modeling approach to organize discovered resources. By maintaining a persistent graph database, it tracks the relationships between infrastructure components and norma
sslscan tests SSL/TLS enabled services to discover supported cipher suites
Impacket is a collection of Python classes designed for the construction, manipulation, and analysis of low-level network packets and services. It functions as a framework for building custom network tools, providing a programmatic interface to interact with communication protocols and service architectures. The library provides primitives for managing authentication, session state, and remote procedure calls within network environments. By offering a modular class hierarchy, it allows for the assembly of network packets and the implementation of specialized communication stacks. The project
Blackbox is a GPG secret management tool and asymmetric encryption wrapper used to securely store and share sensitive files within version control systems like Git, Mercurial, or Subversion. It functions as a version control secret store that encrypts files for safe storage at rest while allowing authorized users and machines to decrypt them. The system distinguishes itself by integrating directly with version control to provide plaintext diff and log visualization of encrypted files. It supports multi-recipient encryption and automated secret decryption via passphrase-less GPG subkeys, enabl
RustScan is a high-speed network reconnaissance tool designed for automated port discovery and service enumeration. It functions as an automated vulnerability scanner that identifies open ports and active services across network environments, providing a foundation for mapping attack surfaces and gathering intelligence on target systems. The tool distinguishes itself through its ability to dynamically adjust scanning parameters and concurrency in real-time based on system feedback, ensuring efficient performance while preventing network congestion. It features an extensible architecture that
This project is a privacy-focused VPN manager and WireGuard client application designed to establish encrypted tunnels that mask user IP addresses and activity. It focuses on maintaining anonymity through a system that supports account creation without personal identifying information. The application distinguishes itself with advanced privacy tools, including a multi-hop orchestrator for routing traffic through multiple sequential servers and a network traffic obfuscator that uses Shadowsocks, TCP, and QUIC to bypass deep packet inspection and censorship. It also implements quantum-resistant
The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to
Keycloak is an open-source identity and access management server that provides a centralized platform for user authentication, authorization, and identity federation. It functions as a standards-compliant identity provider, utilizing a centralized engine to validate credentials and issue cryptographically signed tokens based on industry-standard protocols like OpenID Connect and SAML. This enables organizations to secure diverse applications and services through a unified authentication layer. The platform distinguishes itself through its cloud-native orchestration and high-availability capab
Gallery-dl is a command-line utility designed for the automated retrieval and archiving of image collections from various hosting websites. It functions as a content scraper that manages the entire lifecycle of media discovery, from identifying assets on web pages to storing them in structured local directories. The tool utilizes a plugin-based architecture to handle site-specific extraction logic, allowing it to map input web addresses to the appropriate modules through pattern matching. Users can define custom naming patterns and directory structures using configuration-driven templates, en
This project is a comprehensive zero-knowledge security suite designed for enterprise credential management, secrets orchestration, and password management. It provides a secure, end-to-end encrypted vault that allows users to store, synchronize, and manage sensitive information, including passwords, passkeys, and infrastructure secrets, across desktop, mobile, and browser environments. The platform distinguishes itself through a strict zero-knowledge architecture where all encryption and decryption occur locally on the client, ensuring that plaintext data remains inaccessible to the server.
PicGo is a cross-platform desktop utility designed to automate image hosting and asset management. It functions as a pipeline-based engine that processes image inputs—such as local files, base64 strings, or clipboard data—through a configurable sequence of transformations and uploads to various cloud storage providers. The application distinguishes itself through a modular, plugin-based architecture that allows users to extend core functionality without modifying the main binary. By utilizing a lifecycle hook system, developers can register custom logic to intercept and modify data at specifi