CLMOpen source · Apache-2.0
Certbot
Community project
The EFF's open-source ACME client — the most widely used way to automatically request, install, and renew free, publicly-trusted TLS certificates from Let's Encrypt, the certificate authority run by the nonprofit ISRG, or any other ACME-compliant CA. It runs on the server it protects, installing certificates straight into Apache or nginx, and recently added support for short-lived six-day certificates and IP-address certificates.
Verified Source: 1
- Product type
- Community project
- Deployment
- CLIAgent
- Organization size
- IndividualSMBMid-marketEnterprise
- Pricing tier
- Free
Capability checklist
CLMHow Certbot measures up against the full Certificate Lifecycle Management taxonomy.
- Certificate discovery & inventory — not supported
- Finds every certificate across on-prem, cloud, and Kubernetes environments — including unknown, expired, and shadow certificates nobody was tracking.
- Automated issuance & renewal — supported
- Issues and renews certificates automatically through ACME and direct CA integrations, so nothing depends on someone remembering to do it by hand.
- Expiry monitoring & alerting — not supported
- Watches expiration dates across the whole estate and alerts owners well before a certificate lapses and causes an outage.
- Private CA & internal PKI — not supported
- Runs internal certificate authorities and PKI to issue the private certificates that secure machine-to-machine and internal service traffic.
- Deployment integrations — supported
- Pushes issued certificates directly into load balancers, Kubernetes, MDM, and web servers instead of leaving admins to install them by hand.
- Crypto-agility & rotation — not supported
- Inventories the algorithms and keys in use and rotates them at scale, including preparing for the migration to post-quantum cryptography.
Alternatives
Other Certificate Lifecycle Management tools with overlapping capabilities, sized for similar teams.