30 open-source projects similar to letsencrypt/boulder, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Boulder alternative.
This project is a public key infrastructure management system designed to automate the issuance, renewal, and revocation of X.509, TLS, and SSH certificates. It functions as a machine identity provider and certificate authority, enabling the establishment of private PKI to secure inter-service communication and remote access. The system distinguishes itself through hardware-bound identity attestation, which ties cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration. It supports a wide array of identity verification mechanisms, including OIDC, cloud-provider
Easy-RSA is a shell-based utility designed to automate the creation and management of a public key infrastructure. It functions as a simplified interface for OpenSSL, providing the tooling necessary to establish a root certificate authority and manage X.509 certificates. The project focuses on the lifecycle of digital identities, covering the issuance of certificates to verify entities and the maintenance of revocation lists to invalidate compromised credentials. It specifically provides the utilities required to generate the keys and certificates used to secure OpenVPN connections. The syst
Maddy is a modular mail server that assembles a complete email system by connecting small, single-purpose modules through a declarative configuration file. Rather than a monolithic stack, it lets operators compose message processing, storage, authentication, and security enforcement from interchangeable building blocks, with each module handling a specific function like receiving SMTP connections, verifying credentials, or applying policy checks. The server distinguishes itself through its flexible authentication and security architecture. It delegates user verification to external systems in
This project is a command-line tool for managing public key infrastructure and digital identities. It provides a comprehensive suite for X.509 certificate lifecycle management, including the generation, signing, renewal, and revocation of certificates and signing requests. The tool distinguishes itself through specialized security capabilities such as binding cryptographic credentials to TPMs and HSMs for hardware-backed identity attestation. It also provides dedicated support for machine identity security, using short-lived SSH certificates and mTLS to secure non-human workloads. Broad capa
Certmagic is a Go library for automating the issuance and renewal of TLS certificates. It functions as an automatic HTTPS provisioner and ACME client that handles the full lifecycle of certificates to ensure secure connectivity without manual intervention. The library is distinguished by its support for on-demand TLS provisioning, which generates certificates dynamically during the TLS handshake based on the server name. It also provides automation for wildcard certificates through DNS challenge verification and integrates with the ZeroSSL API for certificate acquisition. The project covers
The NGINX Ingress Controller is a Kubernetes-native traffic manager that handles external requests and routes them to internal services. It translates Kubernetes API objects and annotations into proxy configurations to manage incoming HTTP, TCP, and UDP traffic. The controller distinguishes itself through advanced traffic steering and security integration. It supports blue-green and canary traffic splitting, as well as content-based and regex path routing. Security is handled at the edge via a web application firewall, denial-of-service protection, and a variety of authentication methods incl
This project is a Kubernetes controller that automates the issuance, renewal, and lifecycle management of TLS certificates. It functions as a native extension to the cluster API, using custom resource definitions and reconciliation loops to maintain the desired state of certificates and trust bundles across distributed services. By integrating directly with the cluster's admission control and secret storage systems, it ensures that cryptographic identities are consistently provisioned and available for application workloads. The project distinguishes itself through its extensive support for a
Sandstorm is an open-source platform that packages and runs web applications in security-hardened sandboxes on a personal server, functioning as a self-hosted web app operating system. It provides a curated app store where users discover and install sandboxed web applications with one-click ease, while each application runs in an isolated container that uses Linux kernel security features to separate it from the host and other apps. The platform includes a centralized authentication layer so users sign in once and gain access to all installed applications without managing separate accounts per
caddy-docker-proxy is a dynamic HTTP reverse proxy and Docker network ingress controller that automatically generates routing configurations by reading labels from Docker containers. It serves as a service discovery tool that detects container IP addresses in real time to route incoming web traffic to the correct backend targets. The project functions as a distributed proxy orchestrator, capable of pushing generated configurations from a central controller to multiple remote server instances to scale request handling. It automates the issuance and renewal of TLS security certificates for prox
Mox is a self-hosted email server that runs as a single compiled Go binary, handling the full lifecycle of sending and receiving email through SMTP, IMAP4rev2, and a built-in webmail application. It is designed to be operated without external dependencies or runtime plugins, with all mail services — including spam filtering, queue management, and web interfaces for administration and account management — contained in one executable. The server distinguishes itself through automated TLS certificate management via ACME, DNS-based autoconfiguration for email clients, and file-based configuration
Mail-in-a-Box is a self-hosted email server appliance that automates the deployment of SMTP, IMAP, and POP3 services on Linux. It functions as a complete suite including a DNS management server, a spam and abuse filter, and a web-based administrative control panel for managing users, aliases, and storage quotas. The project distinguishes itself through a high degree of automation for email security and authenticity. It automatically provisions and maintains SPF, DKIM, DMARC, and DNSSEC records to prevent domain spoofing, while managing the installation and rotation of TLS certificates and enf
The AWS Load Balancer Controller is a Kubernetes controller that automates the provisioning and lifecycle management of cloud-native load balancing resources. It functions as an infrastructure orchestrator, translating declarative cluster configurations into specific requests for external cloud services to route traffic into containerized workloads. By implementing standard ingress and gateway specifications, the system ensures that cluster networking adheres to official industry standards for HTTP, HTTPS, and transport-layer traffic. The controller distinguishes itself through its deep integ
sing-box is a management script and universal proxy orchestrator designed to install, configure, and manage network proxy servers. It provides a command-line interface to deploy diverse proxy protocols—including TUIC, Trojan, and Hysteria2—within a single network engine. The project features an automated setup tool for the REALITY protocol to obfuscate network traffic and a system for provisioning and renewing security certificates to ensure encrypted connections. It also includes a Linux network optimizer to implement BBR congestion control and other system-level tweaks for improved throughp
This project is a Kubernetes ingress controller that manages external traffic by dynamically configuring the HAProxy load balancer. It functions as a bridge between cluster resources and the network data plane, translating high-level ingress definitions into active proxy configurations to route HTTP, TCP, and UDP traffic into containerized environments. The controller distinguishes itself through a decoupled architecture that separates control plane logic from the proxy process, allowing for independent lifecycle management and versioning. It utilizes template-based configuration generation a
Kubeasz is an automation framework designed for the lifecycle management of production-grade Kubernetes clusters. It functions as an Ansible-based provisioner that orchestrates the installation, scaling, and maintenance of cluster components across distributed Linux nodes. By utilizing inventory-driven management and role-based task modularization, the project ensures that infrastructure configurations remain consistent and reproducible across diverse environments. The platform distinguishes itself through its focus on automated system administration and operational continuity. It provides bu
etcd is a distributed, strongly consistent key-value store designed to provide reliable storage for critical system metadata and coordination primitives. It functions as a distributed consensus engine, utilizing a replicated log and leader-based state machine to ensure that all nodes in a cluster maintain a synchronized view of data. By providing atomic operations and linearizable reads and writes, it serves as a foundational component for distributed systems requiring high availability and fault tolerance. The system distinguishes itself through its multi-version concurrency control, which e
Corda is a distributed ledger technology platform used to build private, interoperable business networks. It provides a framework for creating shared records of facts and executing smart contracts between specific participants without requiring global data broadcasting. The platform distinguishes itself through a point-to-point state distribution model and a UTXO-based ledger, ensuring that transaction data is shared only between involved parties to maintain strict privacy. It utilizes a JVM-based smart contract engine to execute business logic written in Java or Kotlin and employs a notary-b
Forge is a JavaScript cryptography library providing a comprehensive set of tools for symmetric and asymmetric encryption, hashing, and digital signatures. It includes a full Transport Layer Security implementation for establishing secure network connections and managing encrypted traffic. The project implements a wide array of public key infrastructure tools, including X.509 certificate management, the generation of certificate signing requests, and the validation of certificate chains. It provides a PKCS cryptographic toolkit for handling secure archives and signed messages, alongside suppo
Dehydrated is a shell-script ACME client that automates the lifecycle of TLS certificates from certificate authorities like Let's Encrypt. It implements the ACME protocol entirely in POSIX shell script with no external dependencies beyond standard Unix tools, relying on OpenSSL for all cryptographic operations including key generation, signing, and certificate parsing. The tool manages account keys, certificates, and configuration as plain files on disk, maintaining certificate metadata and account status in simple text files without a database. It delegates domain validation challenges to us
acme.sh is a shell-based certificate manager and ACME SSL certificate client. It automates the issuance, renewal, and installation of digital security certificates using a portable Unix shell script to remove dependencies on heavy runtime environments. The project specializes in automated domain ownership verification through a DNS challenge automator that integrates with provider APIs. It supports the generation of diverse certificate types, including wildcard certificates and issuance based on pre-existing certificate signing requests. The tool covers the full certificate lifecycle, includ
This project is a toolkit for creating and managing X.509 certificate authorities, providing tools for the issuance, signing, and management of TLS certificates and private keys. It includes a command-line utility for generating certificate signing requests, bundling certificate chains, and parsing PEM or DER files. The system features an HTTP API server that allows for remote signing and verification of certificates using JSON requests and responses. This architecture supports automated certificate provisioning and includes a signing proxy to forward requests to remote backend services. The
Higress is an AI-native and cloud-native API gateway that routes, secures, and optimizes traffic between clients and large language model services. It functions as a centralized entry point for microservices, serving as both a Kubernetes ingress controller and an AI gateway orchestrator. The project distinguishes itself by managing traffic across multiple AI providers using a unified protocol, incorporating token-aware rate limiting and response caching to optimize model inference. It coordinates communication between AI models and external tools to provide real-time context and data, while a
Quip Node Manager is a graphical user interface designed for deploying, monitoring, and configuring Quip Network nodes and their associated container stacks. It serves as a container orchestration dashboard that allows users to manage interconnected application services without using command-line tools. The project features a hardware acceleration manager for mapping specific CPU and GPU compute resources to the runtime environment and managing device memory. It includes a system readiness validator to verify container tool availability and network port reachability before initiating the appl
RoadRunner is a high-performance application server and process manager designed to serve PHP applications using a persistent worker model. It eliminates bootload overhead and initialization time by keeping application processes alive between requests, acting as a protocol-agnostic proxy that routes traffic to a pool of supervised workers. The server is built with a plugin-based modular architecture, allowing it to be extended with custom Go plugins and compiled into tailored binaries. It distinguishes itself by providing a unified execution model for a wide array of communication protocols,
Poem is a comprehensive toolkit for building type-safe web applications, APIs, and servers using the Rust programming language. It provides a foundation for developing web servers that handle HTTP requests with strong type safety. The framework distinguishes itself by supporting multiple communication protocols through a protocol-agnostic handler mapping. This allows a single internal logic to be exposed across HTTP, gRPC services using protobuf definitions, and the Model Context Protocol for AI model integration. Additionally, it includes built-in tooling for generating OpenAPI v3 specificat
This project is an API gateway and ingress controller designed to manage traffic, security, and service connectivity within Kubernetes environments. It operates as a controller that monitors cluster state to reconcile gateway configurations with desired infrastructure definitions, ensuring that network policies and routing rules remain consistent across distributed deployments. The system distinguishes itself through a modular request pipeline that allows for the injection of custom logic to handle transformations, security checks, and logging. It supports declarative infrastructure managemen
Octelium is a zero-trust network access platform and identity-aware proxy designed to secure private HTTP, SSH, and SQL resources. It functions as a secure gateway that validates human and workload identities using OIDC, SAML, and FIDO2 passkeys before granting access to internal applications and SaaS APIs. The system is distinguished by its secretless access broker, which injects credentials—such as API keys, passwords, and AWS Sigv4 signatures—at the gateway level so users can access databases and cloud resources without managing secrets. It further specializes in AI gateway administration,
HAProxy is a high-performance TCP and HTTP proxy that distributes traffic across multiple backend servers to ensure availability and fault tolerance for critical services. It operates in either TCP or HTTP mode, with an event-driven, single-threaded reactor that handles tens of thousands of connections without context switching, and supports kernel-level data transfer to minimize memory usage and latency. What distinguishes HAProxy is its configuration-file-first design, where all load-balancing rules and runtime behavior are defined in a declarative text file parsed at startup. It embeds a L
Higress is an AI API gateway and cloud-native traffic manager that functions as a Kubernetes ingress controller. It provides a centralized system for routing, securing, and optimizing traffic directed toward large language models, AI agents, and microservice architectures. The project distinguishes itself through deep AI orchestration, including the ability to host and manage Model Context Protocol servers that transform REST APIs into tools for AI agents. It features specialized AI infrastructure for model request proxying, protocol translation across multiple providers, and semantic-based c
Salvo is a comprehensive Rust web framework for building asynchronous HTTP servers and web applications. It features a hierarchical web router that uses a tree-based structure to map requests to handlers and an asynchronous middleware pipeline based on the onion model for request and response pre- and post-processing. The framework is distinguished by its native support for modern network protocols, including a QUIC-based HTTP/3 implementation alongside HTTP/1 and HTTP/2. It includes an integrated OpenAPI documentation generator that extracts schemas directly from handler signatures to produc