Certificate Deployment
Deployment covers the entire process from when the certificate is fetched from the CA to when it is installed and active on the endpoint. sslbrain supports several methods depending on the platform.
Recommended method per platform
| Platform | Method | Note |
|---|---|---|
| Windows | Service Agent (pull) | Most stable, easiest to maintain, no open ports |
| Linux | Push via SSH | sslbrain connects directly and runs the agent |
| Appliances | Push via SSH or API | Depends on the device (SSH for pfSense/ESXi, API for NetScaler/vCenter) |
| Cloud | Push via CLI | AWS CLI, Azure CLI or gcloud from the sslbrain host |
See Access for detailed setup of SSH, WinRM, Windows Service and API.
Deployment Plans
A deployment plan defines how certificates are rolled out to multiple endpoints. This is relevant when the same certificate (e.g. a wildcard) is used on many servers, or when you want to coordinate rollout with maintenance windows.
Create a plan
- Go to the certificate's Deployment tab
- Click Create deployment plan
- Add the endpoints to include
- Configure order, error handling and schedule
Ordering
| Mode | Description | Typical use |
|---|---|---|
| Parallel | All endpoints at once | Stateless web servers behind a load balancer |
| Sequential | One at a time in order | Servers that must be updated one at a time to avoid downtime |
| One-at-a-time-with-verification | Install on the next endpoint only if the previous one succeeded and passed verification | Critical services where you want to confirm the certificate works before continuing |
Parallel is the default and works well in most cases. Use sequential or one-at-a-time-with-verification for production environments where you want to minimise risk.
Error Handling
Determines what happens if installation fails on an endpoint.
| Strategy | Description |
|---|---|
| Stop | Stop the entire plan at the first failure. Already installed endpoints keep the new certificate. |
| Continue | Skip the failed endpoint and continue with the next ones. |
| Rollback | Stop at the first failure and undo changes on all endpoints that have already been updated. The old certificate is reinstalled. |
Stop is the default. Rollback is recommended for environments where all servers must have the same certificate, e.g. servers behind a load balancer.
Maintenance Windows
Define when certificates may be installed. The deployment plan automatically waits for the next available window.
Examples:
Mon-Fri 02:00-05:00
Deployment runs only at night on weekdays
Sun 22:00-06:00
Only on weekends
Always
No restriction (default)
Configure maintenance windows under Deployment plan > Schedule. You can create multiple windows and assign them to different plans.
Note: If a certificate needs to be renewed and the maintenance window does not open within the next 7 days, sslbrain sends a warning. Ensure the window is wide enough for renewals to run before the certificate expires.
Automatic Deployment on Renewal
When a certificate is renewed, the associated deployment plan runs automatically. No manual action is required.
The flow:
- The certificate approaches expiry (30 days)
- sslbrain renews the certificate via its internal ACME client
- The deployment plan runs automatically
- The certificate is installed on all endpoints in the plan
- sslbrain verifies that the new certificates are active
If a deployment fails, the configured error handling applies (stop, continue or rollback). sslbrain sends a notification with details about the failure.
What to verify
- That the deployment plan is associated with the certificate (under the Deployment tab)
- That credentials for all endpoints are still valid
- That the maintenance window allows deployment before the certificate's expiry
- That notifications are configured so you are alerted on failure
Tip: Once set up, certificate renewal and deployment run fully automatically without intervention.