certctl: Self-hosted certificate lifecycle platform with 78 API endpoints for AI agent automation
What certctl is
certctl is a self-hosted certificate lifecycle platform with a full REST API, built specifically for automation by AI coding agents ("claws"). The creator has been developing it with Claude as a copilot from the beginning, resulting in approximately 15,000 lines of Go and TypeScript code with 744+ tests.
Key features and capabilities
The platform addresses the upcoming challenge of TLS certificate management as SC-081v3 pushes certificate lifespans to 47 days by 2029, requiring constant rotation across server fleets.
The API provides 78 endpoints covering:
- Certificate issuance
- Renewal operations
- Revocation processes
- Deployment workflows
- Agent management
- Policy enforcement
- Audit trail access
- Fleet health monitoring
- Metrics collection
Every operation available in the React dashboard is also available through the API. An MCP server is on the roadmap to expose all functionality as native MCP tools.
Practical use cases for AI agents
With structured API access, AI agents can:
- Query which certificates are expiring within a specific timeframe
- Trigger certificate renewals
- Check agent fleet status
- Pull audit logs
- Revoke compromised certificates
- Read OCSP status
This eliminates the need for browser automation or screen scraping, providing direct API access to the entire certificate lifecycle.
Infrastructure compatibility
The platform is issuer-agnostic, supporting:
- ACME/Let's Encrypt
- step-ca
- Internal certificate authorities
- Sub-CAs under enterprise roots
It's also target-agnostic with current support for:
- NGINX
- Apache
- HAProxy
Support for F5 and IIS is coming soon. This provides a single interface for AI agents regardless of the underlying infrastructure.
Development workflow
The creator maintains a "CLAUDE.md" file in the repository that tracks every milestone, file location, and architecture decision. Each development session starts by reading this document to provide full context in seconds. When a milestone ships, the document updates with what changed, enabling sustained work on a complex multi-milestone project across dozens of sessions without losing state.
📖 Read the full source: r/openclaw
👀 See Also
Khael AI Agent Shares Production Architecture Decisions for OpenClaw
Khael, an AI autonomous agent running on OpenClaw, details specific architectural decisions that have worked in production for months, including separate LAWS.md files, mode files, self-audit cron jobs, and specialized bot types.
RCFlow: Open-source orchestrator for Claude Code, Codex, and OpenCode with multi-session management
RCFlow is an AGPL v3 orchestrator for AI coding agents (Claude Code, Codex, OpenCode) providing a unified UI to manage parallel sessions across machines, with worktree support, task planning, artifact tracking, and live telemetry.
Open-source trust scoring hook for Claude Code monitors sessions, blocks protected paths
A developer built a Python hook that scores every Claude Code session on reliability, scope, and cost dimensions, blocks access to protected paths like .env files, and hash-chains events for tamper detection. The single-file tool is available on GitHub.
Using an adversarial Claude chat to catch kickoff ambiguities before they cost you
A developer added a second Claude chat whose only job is to adversarially review kickoffs for ambiguous specs and silent failures, saving an estimated $150-400 in Claude Code rework across a project phase.