Built for real infrastructure

sslbrain manages certificates across Windows and Linux servers, supports multiple certificate authorities, and automates the entire lifecycle.

Shorter lifetimes, more renewals

Certificate lifetimes are getting shorter, and will get shorter again. The CA/Browser Forum has binding deadlines that step the maximum lifetime down in three phases through 2029.

2026, active
200 days

Maximum lifetime and DCV reuse since March 2026.

2027
100 days

Next step. Lifetime and DCV reuse are halved.

2029
47 days

Final target. DCV reuse drops to 10 days, so domain validation runs every renewal.

With 50 servers and 47-day certificates that becomes up to 600 renewals per year if each certificate is renewed at one third of its lifetime as best practice. sslbrain uses a central scheduler that scales automatically regardless of how short lifetimes become.

Read more about the 47-day timeline

Switch CA without touching a server

Your servers communicate with sslbrain via the ACME protocol. sslbrain communicates with the CAs. If a CA changes its API, standards or pricing, we update the connection and your servers notice nothing.

You can switch between Let's Encrypt, Google Trust Services, DigiCert, Sectigo and GlobalSign without changing configuration on a single server. sslbrain absorbs the complexity.

Certificate Sources

We support any ACME-based CA.

  • Let's Encrypt (ACME)
  • Google Trust Services (ACME)
  • DigiCert
  • Sectigo
  • GlobalSign Atlas
  • Internal CA
  • Custom CA

Endpoints

Deploy certificates to any server platform.

  • Microsoft IIS (Windows Server)
  • Apache HTTP Server
  • Nginx
  • HAProxy
  • Tomcat / Java Keystore
  • FortiGate / FortiMail
  • Citrix NetScaler
  • Microsoft Exchange
  • Any endpoint via custom agents

Protocol Support

Industry-standard protocols for validation and deployment.

  • ACME (RFC 8555)
  • DNS-01 validation (auto-DNS)
  • HTTP-01 validation
  • SSH-based deployment
  • WinRM-based deployment (Windows)
  • REST API integration

Lifecycle Management

Automate the entire certificate lifecycle.

  • Automatic DNS-based validation
  • Automatic certificate discovery
  • Expiry monitoring & alerts
  • Automated renewal
  • Multi-domain (SAN) certificates
  • Wildcard certificates
  • Certificate revocation

Security

Enterprise-grade security built in.

  • On-premises. Your data stays on your network
  • Data encrypted by rotating online vault key
  • Code running on your network is visible and inspectable
  • Built-in and community agents security inspected and signed
  • mTLS client certificates for Windows Service Agent
  • Scripts executed via stdin, never written to disk
  • Role-based access control
  • Audit logging

Operations

Simple to deploy and operate.

  • Single Docker container
  • SQLite database (zero config)
  • Setup wizard (3-minute onboarding)
  • Web-based management UI
  • Agent-based architecture
  • Built-in ACME proxy for servers without internet access
  • Update agents and sslbrain via sslbrain Cloud
  • Fixed IPs for firewall whitelisting

36 agent packages

Supported platforms

sslbrain supports 36 agent packages across Windows, Linux, cloud, appliances, and custom workflows.

Windows and Microsoft

16 agent packages

  • Windows IIS 8+
  • IIS Web Server
  • IIS Central Certificate Store
  • Microsoft Exchange 2013-2019
  • Microsoft Exchange
  • Windows SQL Server
  • Windows ADFS
  • Windows Certificate Authority
  • Web Application Proxy
  • Windows Remote Desktop
  • Windows SSL/TLS Bindings
  • Windows Certificate Store
  • Windows Server
  • Dynamics NAV / Business Central
  • Milestone XProtect
  • Veeam Backup & Replication

Linux and services

7 agent packages

  • Nginx
  • Apache
  • HAProxy
  • Apache Tomcat
  • Postfix
  • Dovecot
  • PostgreSQL

Cloud certificate stores

3 agent packages

  • AWS Certificate Manager
  • Azure Key Vault
  • Google Cloud Certificate Manager

Appliances, networking, and virtualization

8 agent packages

  • Citrix NetScaler / ADC
  • Cisco Secure Firewall Device Manager
  • Kemp LoadMaster
  • pfSense
  • Synology DSM
  • NetApp ONTAP
  • VMware vCenter
  • VMware ESXi

Any platform can be supported via custom agents. Write your own deployment script for any platform or application.

Agent-based architecture

sslbrain uses YAML-defined agents to handle certificate deployment. Each agent is a set of platform-specific scripts that run on the endpoint. This approach means:

Support for any platform without code changes
Community agents for common platforms
Custom agents for your specific needs
Full audit trail of every deployment step

Windows Service Agent (.NET 9, pull-based)

No inbound ports required. Pulls signed task packages via mTLS-encrypted HTTPS. The agent enrolls with a client certificate at registration and renews it automatically.

Secure agent execution

Scripts are executed via stdin piping directly to the interpreter. No script files are written to disk. Secrets are passed via environment variables, never as command-line arguments.

Stdin execution: no scripts written to disk
Secrets via environment variables, never CLI arguments
mTLS client certificates for Windows Service Agent
Encrypted task packages using ECIES (ECDH + AES-256-GCM)
Read-only container, tmpfs-backed temporary storage
no-new-privileges, restricted PATH

Security you can verify

sslbrain is designed to be transparent. All code is visible and inspectable.

YubiKey-signed agents

Every script that runs on or against your servers is signed by us, whether it is our own script or a community version we have verified. All scripts are visible on GitHub and can be inspected.

ECDSA P-384 signature per agent package
Physical YubiKey touch per signing
Category (read/write) baked into signature
Date baked into signature (no backdating)
Developer Code review YubiKey signing Cloud Your sslbrain Server

You decide what runs

Every server has a ScriptPolicy defining what it accepts, from FairSSL-signed scripts only to community scripts or your own custom scripts. The policy can be locked via Group Policy.

FairSSL agents: Written, signed, maintained and tested by FairSSL.
Community agents: Written by users, reviewed and signed by FairSSL before they are released.
Custom agents: Written by you, signed with your own key or run unsigned. FairSSL never signs code we have not reviewed.
TrustSignedBefore: Set a date. The agent rejects anything signed after that date until you approve. Full control over updates.

Data stays on-premises

We cannot see your data

Stolen copy is useless

View the full security architecture

NIS2 documentation

NIS2 requires documented, monitored, and auditable security processes. A cron job is not a documented process. sslbrain provides the structure and evidence that NIS2 demands for certificate management.

SIEM/syslog export for centralized monitoring
Source-available code for security review
Documented process, not a cron job
Read more about NIS2 compliance

Ready to automate your certificates?

Get started in under 5 minutes with the Free plan.

Install Free Contact us
View the full security architecture

sslbrain is built by FairSSL A/S, a Danish company with 16 years of experience in the SSL certificate industry.