Stop managing TLS
certificates manually.
On-premises, behind your firewall. EudaCertMgr™ handles issuance, renewal, and deployment across your entire Linux and Windows fleet — automatically, from a single control host inside your network. No SaaS dashboard, no third-party-hosted control plane. Your certificates, private keys, and target inventory stay on the orchestrator host you own.
47-day certificates are coming.
The CA/Browser Forum — the industry body that governs every publicly-trusted certificate authority — has mandated a phased reduction of TLS certificate lifetimes. At that cadence, manually renewing and deploying certificates across a fleet of servers is no longer feasible. Every missed renewal is an outage waiting to happen.
EudaCertMgr™ eliminates the manual work. It renews certificates before they expire, deploys them to every Linux and Windows server that needs one, verifies the deployment is actually live, warns about anything nearing expiry, and notifies your team only when something changes or something fails.
What you get.
Everything you need to take TLS off your team’s plate, in one self-hosted tool.
Fully On-Premises
Runs entirely inside your network on hardware you control. No SaaS dashboard, no third-party-hosted control plane, no agent on managed hosts. Certificates, private keys, and target inventory live only on the orchestrator host. No inbound internet listener required.
Cross-Platform from One Host
Manage TLS on Linux and Windows fleets from a single Linux orchestrator over SSH. No agent on managed hosts — just an SSH key.
Automatic Renewal
Nightly checks renew certificates before expiry. With the CA/Browser Forum dropping certificate lifetimes to 47 days by March 2029, manual renewal stops being feasible.
Any ACME CA, Selectable Per Cert
Let’s Encrypt, ZeroSSL, Google Public CA, Buypass Go SSL, SSL.com, and any other ACME-compatible CA. Pick the issuer per certificate.
180+ DNS Providers
DNS-01 challenges supported across Cloudflare, Route 53, Azure DNS, GoDaddy, DigitalOcean, and 175+ others via acme.sh.
Per-vhost TLS Audit + Take-Over
Walks every nginx vhost, Apache vhost, and IIS site on a target — including custom Include paths — surfaces issues per site, and offers to take broken certs over one Y/N at a time.
External URL Monitoring
Watch any HTTPS site’s certificate, even ones EudaCertMgr doesn’t manage — WordPress, Squarespace, Shopify, GoDaddy, third-party self-managed certbot. Catch silent renewal failures before they become outages.
Bundled Local Self-Signed CA
For internal hosts that can’t reach a public CA (split-DNS, lab boxes, *.internal hostnames), EudaCertMgr runs a local CA, pushes the root into Linux trust stores, AD over LDAPS for forest-wide Windows distribution, and a .mobileconfig for MDM-pushed Macs.
Auto-HTTPS for HTTP-Only Sites
The scanner detects web server sites with no TLS configured and offers to enable HTTPS correctly, including HTTP→HTTPS redirect rules for nginx and Apache.
Customizable Deployment Scripts
For the unusual cases (Tomcat, Java keystores, HA pairs, container restarts), open a per-target deployment script in your editor — pre-populated with a heavily-commented default template. No bash or PowerShell expertise required.
Built-in Verification
After every deploy, EudaCertMgr connects to the target to confirm it is actually serving the new certificate. Verifies the deployment is live, not just that the copy succeeded.
Encrypted Backup + Restore
Password-encrypted backups of the entire configuration, with auto-reprovisioning of remote service accounts on restore.
Menu-Driven Operation
No config-file editing. Onboarding, target management, alerts, schedules, and the local CA are all driven through an interactive menu. Reasonable defaults pre-filled from your existing config.
EudaCertMgr™ vs. the others.
The only product that combines all of these capabilities in a single self-hosted, menu-driven tool.
| Capability | EudaCertMgr™ | Certify The Web | certbot + scripts | Sectigo / Venafi / Keyfactor |
|---|---|---|---|---|
| Cross-platform: Linux + Windows from one orchestrator | Yes | Windows Server only | DIY | Yes |
| No agent/app on managed hosts (SSH key only) | Yes | Windows app per server | Yes | Agents required |
| Time from installer to first deployed cert | Under 15 min | 30+ min/server | Days | Weeks |
| Per-vhost TLS audit + take-over (nginx / Apache / IIS) | Yes | No | No | Partial |
| Bundled local self-signed CA for internal hosts | Yes | No | No | Separate product |
| External-URL TLS expiry monitoring | Yes | No | No | Yes |
| DNS providers for DNS-01 | 180+ | 36 | Partial | Yes |
| Encrypted backup + auto-reprovision restore | Yes | No | No | Yes |
| Fully self-hosted, no cloud dependency | Yes | Cloud dashboard | Yes | Mostly SaaS |
| Pricing model | Flat $549 / domain / yr | Per-server tiers | Free | Enterprise quoting |
Certify The Web’s “centralized dashboard” is renewal-monitoring only — every managed server still runs its own copy of the Windows desktop app. EudaCertMgr™’s model is one Linux orchestrator that pushes to every target over SSH; targets carry no EudaCertMgr™ software footprint at all.
How it works.
Once configured, you don’t need to do anything else. EudaCertMgr™ runs every day automatically.
Install in under 15 minutes
Download the installer tarball, run it as root on any modern systemd Linux. Interactive and idempotent — re-run any time.
Onboard targets from a menu
Linux targets onboard over SSH automatically. Windows targets get a generated PowerShell bootstrap script. The scanner finds existing certs and offers to take them over.
Nightly runs — silent unless something changes
A systemd timer renews any cert within its renewal window via DNS-01, deploys it to every target, and verifies live. Email only on issuance, failure, or expiry warning.
Resilient + auditable
A single failed target does not abort the batch. Per-run logs, encrypted backups, previous-cert retention for rollback. Everything menu-driven; no config files to edit.
Never think about TLS renewals again.
Flat $549 per domain per year. On-premises, behind your firewall — no cloud dependency, no per-server tiers.