Public certificates that renew themselves. Before they fail.
ACME automation with ARI – the CA tells you when to renew, not a cron job. Certificates deploy before the old ones expire, with zero downtime.
What ACME ARI does
Public certificate renewal driven by the CA itself. Every capability is designed around eliminating renewal failures before they happen.
CA-signalled renewal timing
The CA tells Hub exactly when each certificate should renew via the ARI protocol. No guessing, no hardcoded thresholds, no stale cron schedules.
Zero-downtime certificate rotation
New certificates deploy alongside existing ones. Traffic shifts after validation confirms the new cert is live – no gap, no interruption.
Automatic DNS and HTTP validation
DNS-01 and HTTP-01 challenges handled automatically. Scout deploys the proof, the CA verifies, the certificate issues – no manual steps.
Multi-CA support
Let's Encrypt, ZeroSSL, any ACME-compatible CA. Hub manages the relationship with each provider. You choose per domain or per policy.
Fallback strategies and retries
If the primary CA is unreachable or rate-limited, Hub escalates through fallback providers with exponential backoff. Renewal doesn't stall.
Audit trail for every renewal
Every ARI signal, every challenge response, every certificate deployment – logged with timestamps, reasons, and outcomes. Full accountability.
How ARI-driven renewal works
The CA signals the optimal renewal window. Hub listens. Scout executes. Certificates deploy before the old ones expire.
CA publishes optimal renewal timing per certificate
Policy check, deploy window, provider selection
ACME challenge, CSR, certificate install
Renews at a fixed percentage of lifetime – regardless of CA state or revocation events
Failures silently accumulate until the certificate expires
No awareness of CA-initiated early revocations or policy changes
CA signals the exact window – adapts to lifetime changes, revocations, and policy shifts
Escalating retries with fallback CAs – renewal doesn't depend on one provider
Immediate response to CA-initiated revocations – no waiting for the next cron cycle
ARI tells you when to renew. Hub policy tells you when to deploy. Define maintenance windows per environment, stagger rollouts across regions, and enforce approval gates for production certificates – all without losing the ARI timing advantage.
Scout discovers which endpoints need public automation – classifying each by trust model so the right certificates go to the right systems.
The cert is the artifact. The renewal authority is the load-bearing piece.
Every public certificate depends on a chain of upstream control: the ACME account that signs the order, the DNS records that prove ownership, the deployment path that installs the cert before it expires. As DV reuse windows compress alongside lifetimes, every renewal exercises every link in that chain. Cyphrs governs the chain.
Every public cert renewal happens under an ACME account. Cyphrs tracks which account signed which order, surfaces which accounts have authority over which domains, and flags when an account becomes a single point of failure across your estate. When Let's Encrypt has its next incident, you see exactly which renewals are exposed before the page does.
The persistent DNS configuration that makes DNS-01 validation viable at scale – _acme-challenge records, CNAMEs to delegated zones, TTL discipline. Cyphrs parses your DNS-PERSIST setup, maps which domains depend on which validation paths, and flags configurations that won't survive the 10-day DV reuse window.
If validation lives in a sub-zone delegated to a different team or provider, the delegation itself is part of the renewal authority. Cyphrs surfaces delegated DNS authority across your estate – who controls the _acme-challenge zone for which apex, and whether the chain of delegation has gaps that will silently break renewals.
A renewed certificate that doesn't reach the endpoint is the same as no renewal. Cyphrs tracks the deployment path from issuance to install, with active verification that the new cert is the one actually served. Failed deployments roll back; lifecycle events are bound to the audit log.
DV reuse periods are compressing alongside certificate lifetimes. By 2029, every renewal will exercise every link in the validation chain. The renewal authority stops being a one-time setup and starts being load-bearing infrastructure. Cyphrs treats it that way today.
Built for public-facing infrastructure
Hundreds of edge nodes, each serving different domains. ACME ARI renews certificates at the edge without centralised coordination – each node handles its own challenges, guided by Hub policy.
Scale to thousands of endpoints. No single point of failure.
100+ domains across different providers and registrars. Hub tracks every certificate, every domain, every renewal window – and ensures each one renews from the right CA at the right time.
DNS-01 validation across Route 53, Cloudflare, and custom providers.
Certificate lifetimes are dropping to 47 days. Manual renewal at that cadence is unsustainable. ARI-driven automation handles the volume increase without adding operational burden.
For internal systems, Trust CA provides private certificates instead.
Part of [cyphrs]™ Hub
ACME ARI handles the public trust domain. It connects to every other module in the platform.
ACME ARI handles public endpoints. Trust CA handles private infrastructure – internal APIs, service mesh, RFC 1918 addresses. Hub routes each certificate to the right authority.
Scout discovers your TLS estate and classifies which endpoints need public vs private certificates. It then deploys as the ACME client – handling challenges and installing certificates.
Hub's policy engine governs renewal strategy – which CA to use, which domains get which provider, deploy windows, fallback chains, and approval workflows.
Stop renewing certificates manually
Early access is free. We're working with a small number of teams to shape the platform.