6.4 Built-in Deploy Templates

Deployment recipes for common software

CertKit includes a library of built-in deployment templates for common services and platforms. These templates pre-fill deployment configurations with optimized certificate formats and post-deployment update scripts.

Windows Templates

Basic Starters

Standard templates for common certificate formats with no pre-configured post-deployment scripts.

Template	Format	Variables Provided
Basic Windows Certificate Store	`windows-cert-store`	`$thumbprint`, `$certificate` (X509Certificate2)
Basic PFX	`pfx`	`$certPath`, `$pfxPasswordFilePath`
Basic PEM	`pem-key`	`$certPath`, `$keyPath`, `$chainPath`
Basic Java KeyStore	`jks`	`$certPath` (to .jks file)

Service Specific

IIS Site Binding: Requires IIS site name and HTTPS port. Binds the certificate to the specified site and port via the WebAdministration module. Creates a new binding if none exists.
Remote Desktop (RDP): Configures the local RDP listener certificate via WMI (Win32_TSGeneralSetting).
Exchange Server: Enables the certificate for IIS and SMTP services using Enable-ExchangeCertificate.
AD FS: Replaces SSL and Service Communications certificates and restarts the adfssrv service.
SQL Server: Updates the SuperSocketNetLib registry key with the certificate thumbprint and restarts the SQL service. (Default instance: MSSQL16.MSSQLSERVER).
WinRM: Recreates the HTTPS listener bound to the host FQDN.
netsh HTTP Listener: Binds the certificate to a specific IP/port (default 0.0.0.0:443) using netsh http.
Azure Key Vault: Uploads the certificate as a Key Vault secret via service principal authentication.
F5 BIG-IP (PowerShell): Manages certificate/key upload and SSL profile updates via the iControl REST API.

Linux Templates

Basic Starters

Template	Format	Variables Provided
Basic PEM	`pem-key`	`$CERT_PATH`, `$KEY_PATH`, `$CHAIN_PATH`
Basic PFX	`pfx`	`$CERT_PATH`, `$PFX_PASSWORD_FILE_PATH`
Basic Java KeyStore	`jks`	`$CERT_PATH` (to .jks file)

Service Specific

Nginx: Performs nginx -t followed by nginx -s reload.
Apache: Performs apachectl configtest followed by apachectl graceful.
HAProxy: Validates the configuration and reloads the service.
Kubernetes Secret: Updates a kubernetes.io/tls secret using kubectl apply.
PostgreSQL: Reloads the service to pick up new certificate material.
MySQL / MariaDB: Performs a service restart (required for TLS certificate updates).
AWS ACM: Imports the certificate and chain into AWS Certificate Manager.
Docker: Sends SIGHUP to a specific container to trigger a configuration reload.
Postfix / Dovecot: Validates configuration and reloads the service.
F5 BIG-IP (Shell): Shell-based implementation of the F5 REST API deployment flow.

For services not listed here, you can create a Custom Deploy Template.