Built for Apache
The pre-built Apache deployment template ships in your CertKit account. No scripting required.
Apache serves whatever certificate is on disk at the paths your virtual hosts reference. When a certificate renews, nothing happens until someone writes the new files and reloads the server, every 47 days. On every Apache server in your fleet.
CertKit centralizes certificate issuance and renewal, then pushes updated certificates to your Apache servers automatically via the CertKit Agent.
The pre-built Apache deployment template ships in your CertKit account. No scripting required.
The CertKit Agent writes the certificate and key files to disk, validates the
configuration with apachectl configtest, and reloads Apache gracefully.
Existing connections finish, new ones get the new certificate, and a config problem
stops the reload instead of taking the site down.
The pre-built Apache template ships with your CertKit account, and the agent's certificate inventory recognizes Apache and httpd configs it finds on the server. CertKit runs the deployment on every renewal.
The manual process, if you want to do it yourself:
SSLCertificateFile takes the leaf and intermediates
in one file (SSLCertificateChainFile is deprecated). A missing
intermediate works in your browser and fails on someone else's.
SSLCertificateFile and
SSLCertificateKeyFile directives point. Every vhost that references
the old files needs the update.
apachectl configtest. A typo takes every site on the server down
at reload instead of serving the new certificate.
apachectl graceful on Linux, or restart the Apache service on Windows.
Then confirm the served certificate actually changed, and repeat on every server.
Every one of these steps is manual, and Apache won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every virtual host, on every server in the fleet. Miss one reload and it's an outage.
At 47 days, automation is the only sustainable way to run Apache certificates. Here's how CertKit does it.
Your Apache server CertKit ACME CA ┌───────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ │ │ │ │ │ │ ┌───────────────┐ │ Issue & Renew │◄──►│ │ │ │ CertKit Agent │◄──┤ Certificates │ │ │ │ └─────────┬─┬───┘ │ ┌───┐ └─────────────┘ │ │ │ │ └───────────┬────│DNS│ │ Certificates ◄┘ │ │ │ └───┘ │ [x] Updated │ │ │ │ │ │ │ │ Apache ◄───┘ │ ◄───────────────┘ │ [x] Reloaded │ Verify └───────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record; CertKit handles every ACME challenge after that. Your Apache servers do not run ACME, no open ports, no DNS credentials. They just run the agent.
Using CertKit to manage our public-facing SSL certificates has been an excellent decision. The platform is user-friendly, certificates are easy to deploy, and the automation agent streamlines the entire certificate lifecycle, eliminating concerns around shortening certificate validity periods.
Chris Austin, IT Engineer, Buckman
SSLCertificateFile and
SSLCertificateKeyFile directives point, on every renewal.
apachectl configtest first, so a configuration
problem stops the deployment and raises an alert instead of taking every site on
the server down.
apachectl graceful finishes in-flight requests while new connections
get the renewed certificate. On Windows, the agent restarts the Apache service.
Certbot's Apache plugin is a fine answer for one internet-facing server. It gets
awkward at fleet scale: HTTP-01 needs port 80 open and reachable on every server,
DNS-01 needs DNS provider credentials stored on each one, and
certbot --apache edits your virtual host configuration to suit itself.
When several servers share a certificate, per-server ACME has no distribution
mechanism, and the usual workaround, a shared folder with coordinated reloads, fails
silently when it breaks.
CertKit uses delegated DNS validation handled centrally, so no server needs port 80 open or DNS credentials on disk, and your vhost configs stay exactly as you wrote them. It issues once and the agent handles distribution. There is no per-server ACME configuration to manage and no shared folder to maintain.
Most infrastructures have more than one place where certificates live: the Tomcat instances behind Apache, nginx on the newer boxes, self-hosted apps like GitLab, and the load balancers out front. CertKit automates all of it from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.