Automated TLS certificate management via ACME DNS-01 challenges.
Website ·
Dashboard ·
API Reference ·
Discussions
KrakenKey is a TLS certificate management platform that automates issuance via Let's Encrypt using DNS-01 challenges. One-time DNS setup per domain, then certificates in ~4 minutes -- no ongoing records to manage, no cron jobs, no forgotten renewals.
Private keys never leave your device. CSRs are generated client-side using the WebCrypto API, or you bring your own from openssl. KrakenKey only ever sees your public key.
Works with any DNS provider. Add a TXT record and a CNAME at your registrar -- Cloudflare, Route 53, Namecheap, DigitalOcean, whatever you use. KrakenKey handles ACME challenges on its own infrastructure.
Why now? The CA/Browser Forum's Ballot SC-081v3 is phasing TLS certificate max lifetimes down to 47 days by March 2029. Manual renewal won't scale.
- Client-side CSR generation -- WebCrypto API in the browser; private keys stay on your device
- ACME automation -- Let's Encrypt certificate issuance via DNS-01 challenges
- DNS provider agnostic -- one-time CNAME delegation; works with any registrar
- Endpoint monitoring -- TLS health checks (expiry, chain validity, cipher suites, protocol versions, OCSP, handshake latency) with scan result export
- Self-hosted probe -- open-source Go binary with standalone, connected, and hosted modes
- Auto-renewal -- daily expiry checks with tier-aware renewal windows and email notifications
- Email notifications -- cert issued/renewed/failed/revoked, expiry warnings, domain verification alerts
- Organizations & RBAC -- teams with owner, admin, member, viewer roles
- Subscription billing -- Stripe-powered tiers (Free, Starter, Team) with plan limit enforcement
- Go CLI -- full API parity with local CSR generation (
krakenkey cert issue,cert renew, etc.) - GitHub Action -- cert-action for CI/CD certificate issuance, renewal, and download
- REST API -- every dashboard action is available programmatically
- Web dashboard -- visual certificate lifecycle management
- Prometheus metrics -- 12+ gauges and counters for observability
- API key authentication -- persistent keys for CI/CD and automation workflows
- Tier-aware rate limiting -- configurable per-tier throttling on all endpoints
- Swagger/OpenAPI docs -- interactive API documentation
One-time setup per domain:
- Add your domain in the dashboard and configure two DNS records: a TXT record for ownership verification and a CNAME to delegate ACME challenges to KrakenKey
Per certificate (~4 minutes):
- Generate a CSR -- in-browser via the dashboard or with
opensslon your machine - Submit via the dashboard or REST API
- Download your certificate -- KrakenKey resolves the ACME challenge automatically and issues the cert
Head to krakenkey.io and create a free account. No credit card required.
git clone --recurse-submodules https://github.com/krakenkey/krakenkey.git
cd krakenkey
code . # Reopen in Dev Container when promptedSee LOCAL_DEV.md for the full devcontainer setup with TLS, Traefik, and hot reload. See CONTRIBUTING.md for the contributor guide.
# Add a domain
curl -X POST https://api.krakenkey.io/domains \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{"hostname": "example.com"}'
# Submit a CSR
curl -X POST https://api.krakenkey.io/certs/tls \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{"csrPem": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----"}'
# Check status / retrieve certificate
curl https://api.krakenkey.io/certs/tls/42 \
-H "Authorization: Bearer $API_KEY"
# Renew
curl -X POST https://api.krakenkey.io/certs/tls/42/renew \
-H "Authorization: Bearer $API_KEY"See the full API Reference for all endpoints, authentication, error formats, and more examples.
Browser / CLI / GitHub Action
|
v
NestJS REST API
|
+---> PostgreSQL (certs, domains, users, endpoints, orgs, subscriptions)
+---> Redis / BullMQ (async job queue)
+---> ACME Client (Let's Encrypt)
+---> DNS (challenge resolution on KrakenKey infra)
+---> Stripe (billing, subscriptions)
+---> Authentik (SSO / OIDC)
+---> Prometheus (/metrics)
|
Probes (standalone / connected / hosted)
|
+---> TLS endpoint scanning
+---> Scan results --> API
Certificate issuance is asynchronous. Submitting a CSR enqueues a BullMQ job that handles the ACME flow (create order, set DNS challenge, poll propagation, finalize) and stores the issued certificate. Jobs retry with exponential backoff on failure. Endpoint monitoring runs via self-hosted probes that scan TLS endpoints and report results back to the API.
| Component | Technology |
|---|---|
| Backend | NestJS 11, TypeScript |
| Frontend | React 19, TypeScript, Vite |
| Database | PostgreSQL, TypeORM |
| Job Queue | BullMQ (Redis) |
| ACME Client | acme-client |
| CSR Generation | WebCrypto API, @peculiar/x509 |
| Authentication | Authentik (OIDC) + API Keys |
| API Documentation | Swagger / OpenAPI |
| Marketing Site | Astro |
| Document | Description |
|---|---|
| Architecture | System design, module hierarchy, data flow |
| API Reference | All endpoints, auth, error formats, examples |
| Certificate Flow | CSR submission through issuance, step by step |
| Database Schema | Entities, relationships, migrations |
| Configuration | Environment variables and setup |
| Integrations | ACME and DNS provider integration details |
| Rate Limiting | Tier configuration and throttling behavior |
| Domain Verification | Setup guide with DNS examples |
| Error Handling | Error format, frontend toast system |
| Known Limitations | Current constraints and planned improvements |
| Local Development | Devcontainer setup, TLS, Traefik |
We welcome bug reports, feature requests, and pull requests. See CONTRIBUTING.md for development setup, testing instructions, and the PR process.
To report a vulnerability, see SECURITY.md. Please do not open a public issue for security concerns.
KrakenKey is licensed under the GNU Affero General Public License v3.0.
If you modify KrakenKey and make it available over a network (e.g., as a hosted service), you must make your source code available under the same license.