Overview

The IONOS Certificate Manager is a tool that simplifies the management of Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for websites and applications. It streamlines the process of obtaining, installing, and renewing certificates, ensuring secure web traffic and the protection of sensitive data transmitted between users and web servers.

Certificate Manager supports both importing an existing certificate and automatically renewing certificates via the platform, reducing manual management and improving security. With the integration of the ACME protocol, it automates the issuance and renewal of certificates, eliminating the need for users to upload certificates and keys manually.

Workflow

The following is an overview of the Auto Certificate workflow:

1. Provider Creation: The user first creates a certificate provider by configuring an ACME server (such as Let's Encrypt). This provider is responsible for issuing and renewing the certificates.

2. Auto Certificate Creation: After the provider is set up, the user creates an Auto Certificate, pointing to the newly created provider and specifying the common name (domain) for which the certificate should be issued.

3. Automatic Certificate Management: It offers the following:

• ACME-based issuance: The certificate manager handles the issuance and renewal process using the provided ACME server. The system sets up the required DNS TXT records on the IONOS Cloud DNS, which the ACME server uses to verify domain ownership.

• Renewal process: The certificates are automatically renewed every 30 days before they expire, ensuring seamless security updates without user intervention.

Special considerations

1. Domain and Zone Restrictions: This feature only works with domains that are hosted within the IONOS Cloud DNS zones. The ACME server needs to verify the domain ownership through TXT records, which are managed by the IONOS platform.

2. Handling Expiration and Grace Period: During the renewal process, a grace period of 30 days is applied. This means that two certificates—one expired (or expiring soon) and one newly issued—may coexist for a short period. The old certificate is automatically deleted 30 days after expiration, ensuring that the system remains clean and up-to-date.

3. Naming Convention: To prevent confusion between active and expiring certificates, timestamps are appended to the common name of the certificate in the database. This ensures that the certificates remain distinguishable in the system.

Benefits

1. Automated Renewal: No need for manual intervention to renew certificates, improving operational efficiency.

2. Security: Regularly updated certificates ensure that there are no gaps in encryption.

3. Visibility: Users can track both the newly created and expired certificates within the system.

4. Integration: The auto certificate feature is fully integrated and usable in products like CDN and API Gateway.

The Auto Certificate feature represents a major step forward for users who need continuous, automated SSL/TLS certificate management on the IONOS platform.