Automated SSL certificate renewal for nginx

nginx won't reload a new certificate on its own. CertKit will.

nginx serves whatever certificate is on disk. When a certificate renews, nothing happens automatically. You need to write the new files and reload the service, every 47 days. Running and possibly-failing on every server in your fleet.

CertKit centralizes certificate issuance and renewal, then pushes updated certificates to your nginx servers automatically via the CertKit Agent.

Start free trial Watch demo

How it works

 Your nginx server         CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│                   │     │                  │    │             │
│     ┌───────────────┐   │  Issue & Renew   │◄──►│             │
│     │ CertKit Agent │◄──┤   Certificates   │    │             │
│     └─────────┬─┬───┘   │                ┌───┐  └─────────────┘
│               │ │ │     └───────────┬────│DNS│
│ Certificates ◄┘ │ │                 │    └───┘
│ [x] Updated     │ │                 │
│                 │ │                 │
│ nginx       ◄───┘ │ ◄───────────────┘
│ [x] Reloaded      │       Verify
└───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record; CertKit handles every ACME challenge after that. Your nginx servers do not run ACME, no open ports, no DNS credentials. They just run the agent.

Using CertKit to manage our public-facing SSL certificates has been an excellent decision. The platform is user-friendly, certificates are easy to deploy, and the automation agent streamlines the entire certificate lifecycle, eliminating concerns around shortening certificate validity periods.

Chris Austin, IT Engineer, Buckman

nginx deployment script

#!/bin/bash
nginx -s reload

The CertKit Agent writes the certificate and key files to disk automatically. Your deployment script handles one thing: telling nginx to reload. That is the entire integration.

The pre-built nginx template ships with your CertKit account. CertKit runs it on every renewal. No paths to manage. No hooks to wire up. No logs to watch.

What CertKit handles

Issue certificates via ACME, centrally. Your nginx servers have no ACME configuration, no open ports, no credentials to manage. One CNAME record is all they contribute.
Renew automatically before expiry. That one-time CNAME covers every renewal challenge going forward. No intervention required on any server.
Write the cert and key to disk. The CertKit Agent handles file paths and writes updated files on every renewal.
Reload nginx after every write. Your deployment script runs automatically. No cron jobs, no hooks to maintain.
Verify the deployment, not just the script. After each renewal, CertKit connects to your server and confirms the new certificate is actually being served. It checks the serial number, SANs, and expiry. If something is wrong, you find out before your users do.
Alert on failure. Deployment failures, verification mismatches, and upcoming expirations all generate alerts before they become incidents.
Audit every change. Every issuance, renewal, and deployment is logged with timestamp, certificate, and server. With certificate lifetimes heading to 47 days, that log is your compliance record.

Setup takes about ten minutes

Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
Install the CertKit Agent. One command on your nginx server. The agent runs as a background service and needs no inbound firewall rules.
Add the nginx deployment script. The pre-built template is in your account. Paste it in and save. CertKit runs it on every renewal.

See the full architecture →

Why not per-server ACME?

Per-server ACME clients like Certbot require each server to prove domain ownership on every renewal. HTTP-01 validation requires port 80 open and reachable from the internet on every server. DNS-01 validation requires DNS provider credentials stored on the server itself. Neither is a good option in hardened or private environments, and both expose more attack surface than the certificate is worth.

When multiple nginx instances share a certificate, per-server ACME has no distribution mechanism. The common workaround is a shared folder with coordinated reload commands across servers. That shared folder is a dependency, and when it breaks, certificates stop renewing silently.

CertKit uses delegated DNS validation handled centrally, so no server needs port 80 open or DNS credentials on disk. It issues once and the agent handles distribution. There is no per-server ACME configuration to manage and no shared folder to maintain.

With certificate lifetimes shrinking to 47 days, per-server renewal stops being an inconvenience and starts being a liability.

nginx is just one part of your stack

Most infrastructures have more than one place where certificates live. CertKit automates all of it from one account.

See all integrations

Start automating nginx certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing