Integrate With Your Existing PKI And Cloud Infrastructure

Certificate authorities.

Public CAs: Let’s Encrypt and ZeroSSL via ACMEv2 with EAB support, BuyPass Go SSL for the European trust path, DigiCert CertCentral via REST API, Sectigo Certificate Manager, GlobalSign Atlas, and Entrust Certificate Services. Each connector handles account registration, order placement, DNS-01 and HTTP-01 challenges, and revocation. Renewal cadence respects the issuer’s rate limits — Let’s Encrypt’s 50 certs/registered domain/week, DigiCert’s order quotas, and so on.

Cloud-native CAs: AWS Private CA (issue, revoke, audit via the acm-pca:IssueCertificate path), Google Cloud Certificate Authority Service with CA pool failover, and Azure Trusted Signing for code-signing workloads. We use the cloud’s native IAM — no custom service accounts, no shadow credentials.

Internal PKI: HashiCorp Vault PKI secrets engine (role-scoped issuance, lease-aware renewal), smallstep step-ca via JWK and X5C provisioners, and Microsoft Active Directory Certificate Services through DCOM and the Certificate Enrollment Web Service. AD CS auto-enrollment templates are honored.

Cloud.

AWS: ACM for public certs (import and managed), AWS Private CA for internal issuance, Secrets Manager for cert + key bundles, and Parameter Store for plain-text PEM. Regional and cross-region coverage; assume-role works for landing-zone and Control Tower setups. IAM is least-privilege — typically acm:ListCertificates, acm:DescribeCertificate, and (for write mode) acm:ImportCertificate.

Azure: Key Vault certificates with managed issuer policies, App Service custom domain certs, Application Gateway listener certs, and Front Door. We support both Key Vault access policies and Azure RBAC; managed-identity authentication is the default for in-Azure runners.

GCP: Certificate Manager for global load-balancer certs, Certificate Authority Service for private issuance, and Secret Manager for distribution. Workload Identity Federation removes the need for long-lived service-account keys.

Load balancers.

F5 BIG-IP via iControl REST: install the renewed cert + key, build or update the client-SSL profile, attach to the virtual server, and reload — partition-aware and tested against HA pairs. NGINX (OSS) reload-on-config-write, NGINX Plus via the dynamic key-value store for zero-reload swaps.

HAProxy via the runtime socket API: set ssl cert and commit ssl cert for hitless updates, plus HAProxy Enterprise via Data Plane API. Citrix ADC (NetScaler) NITRO for SSL cert-key pairs and binding to virtual servers and content-switching vservers.

Apache HTTP Server via config rewrite + graceful reload. AWS ELB family: ALB and NLB listener cert rotation (including SNI cert lists) and Classic ELB for legacy estates. Each connector reports back the post-deploy health-check state so you don’t mark a rollout complete on a half-broken endpoint.

Kubernetes.

MachineCert speaks native cert-manager: it reconciles Certificate, CertificateRequest, Issuer, and ClusterIssuer CRDs, writes results into kubernetes.io/tls Secrets, and triggers rollouts on consuming Deployments through annotation-driven restart. Existing cert-manager manifests work without modification.

Service mesh: Istio (Citadel CA replacement, automatic SDS distribution to Envoy sidecars), Linkerd (identity controller trust anchor and issuer rotation), and Consul Connect. mTLS trust-bundle distribution and rotation is handled without sidecar restarts.

Managed Kubernetes: first-class context detection for GKE (Workload Identity), EKS (IRSA), and AKS (managed identity), so the same controller manifest works across all three. Multi-cluster fleets get a single MachineCert control plane with per-cluster policy scoping.

Secrets managers and Vault.

HashiCorp Vault PKI secrets engine: role-scoped issuance, lease-aware renewal windows, and revocation via the /pki/revoke endpoint. We honor the configured TTL and max-TTL on each role and surface lease expiry as a first-class signal in the MachineCert dashboard. Auto-unseal-aware: short network blips on a sealed Vault don’t cascade into false expiry alerts.

CyberArk Conjur (self-hosted) and Conjur Cloud: certificate and key material retrieved over the V5 API with host-factory authentication. Both deployments support cert metadata read plus rotation triggers; combined with Vault, this covers most regulated-industry secret-store stacks without exposing key material to MachineCert.

CyberArk PAM.

For highly regulated environments — federal, FSI, healthcare — MachineCert integrates with CyberArk Privileged Access Manager so that the credentials used to deploy renewed certificates (F5 root, NGINX system user, AD CS enrollment account) are vaulted in CyberArk and retrieved just-in-time. Deployments are logged with full PAM session recording where configured.

Central Credential Provider (CCP) and Application Identity Manager (AIM) are both supported. The integration removes the last hardcoded service credential from your cert-rotation pipeline, which is usually the audit finding that blocks a CLM rollout in regulated environments.

Frequently asked.