Features — Automate Certificates

Features

Certificate operations from discovery to deployment

ACME v2 issuance

Request Let's Encrypt certificates via ACME v2 with DNS-01 or HTTP-01 challenges. The cron job renews 30 days before not_after and records each attempt.
Tenant-wide discovery

Scan Azure subscriptions, Key Vaults, App Services, and App Gateways. AWS and GCP tenant scans surface certs missing from your inventory.
22 deployment targets

Push renewed certs to Azure Key Vault, App Service, App Gateway, AWS ACM, ALB, GCP load balancers, PostgreSQL, and 15 more target types.
Expiry alerting

Slack, Microsoft Teams, Graph email, and SMTP notifications when a cert enters the renewal window or a renewal attempt fails.
Audit log and exports

Append-only log with CSV export and webhook delivery. DORA and NIST-aligned reports with per-renewal evidence and reviewer identity.
Scoped API keys and MCP

Programmatic access via scoped API keys with fine-grained permissions. MCP tools for agent-driven certificate operations.
Renewal retry behaviour

Failed ACME challenges trigger automatic retries with backoff. Each attempt is logged; alerts fire after consecutive failures.
Marketplace lifecycle records

Azure Marketplace subscription events — activate, suspend, renew — are recorded in the audit log with timestamps and tenant context.
Entra SSO for operators

Spot Suite OIDC sign-in with passkeys, TOTP MFA, and Entra ID federation. Azure service principal (RS256 JWKS) for tenant scans.

Map your estate

Run an Azure, AWS, or GCP tenant scan. Every domain, issuer, and expiry date lands in one inventory with risk indicators on certs due within 30 days.
Issue and schedule

Request certificates through ACME v2 with DNS-01 or HTTP-01. Automate Certificates renews 30 days before expiry and logs each issuance.
Deploy and notify

Push renewed certs to linked targets on schedule or on demand. Slack, Teams, or SMTP alerts fire if deployment or renewal fails.

Every plan starts with a 90-day trial — no credit card.