ASCEDS certificate management system

What is ASCEDS

Automated SSL Certificate Distribution System (ASCEDS) is a distribution system for certificates which can be obtained from a provider offering an ACME interface. The system defines a site containing:

one certificate manager which can get SSL certificates for wilcard hostnames in a set of domains through certbot;
a set of managed clients getting automatic certificate renewal or reconfiguration of SANs; services using certificates are reconfigured/restarted automatically upon renewal;
a web interface handling certificates for managed or unmanaged clients.

ASCEDS consists into a set of shell scripts; the web interface is written in PHP.
Each script has a help option '-h'.
The details are described in the ASCEDS whitepaper. It can be downloaded after login, or by installing ASCEDS.

ASCEDS is released under GPLv2 or any later version.
The certificate manager was tested on Ubuntu 18.04 and newer versions.
Currently, managed client packages are available for: Ubuntu, Arch Linux, Debian, Raspbian, CentOS 7.

Quick start of a new site

Step 1: install ASCEDS on all the computers of the site (certificate manager and managed clients)

Step 2: configure the certificate manager
On the certificate manager:

install and configure dependencies: snap, certbot, apache2/httpd
initialize the certificate manager:
asceds-certmanager-setup [-s certmanager]
configure the client (shown in Step 3 below) using the root/sudo choice
customize the website:
- edit the apache2/httpd site configuration file typically in /etc/${ASCEDSWEBEXEC}/sites-available/asceds.conf;
- decide on the authentication and add the right .htaccess to /usr/share/asceds/html/cert/ (see examples in /usr/share/doc/asceds/examples/site-*);
- edit the web php configuration in /usr/share/asceds/etc/config.php (see examples in /usr/share/doc/asceds/examples/php-etc);
- enable the website on the webserver: e.g. a2ensite asceds on Debian derivatives;
add authorized users: asceds-web-user -a username

Step 3: initialize the managed clients
On each managed client:

get info: certificate manager name, root/sudo account access, account on the web interface of the certificate manager
prerequisites: client should be connected to the network, have DNS record, public IP address, and the domain should be served by the certificate manager
connect to the certificate manager and follow instructions:
asceds-init [-s cert_manager]
when prompted, select the services using SSL certificates.

Step 4: the unmanaged clients
For each unmanaged client:

login to the certificate manager web interface;
request a certificate;
download the certificate into the client and reconfigure the services.