Public certificates that renew themselves. Before they fail.
ACME automation with ARI – the CA tells you when to renew, not a cron job. Certificates deploy before the old ones expire, with zero downtime.
What ACME ARI does
Public certificate renewal driven by the CA itself. Every capability is designed around eliminating renewal failures before they happen.
CA-signalled renewal timing
The CA tells Hub exactly when each certificate should renew via the ARI protocol. No guessing, no hardcoded thresholds, no stale cron schedules.
Zero-downtime certificate rotation
New certificates deploy alongside existing ones. Traffic shifts after validation confirms the new cert is live – no gap, no interruption.
Automatic DNS and HTTP validation
DNS-01 and HTTP-01 challenges handled automatically. Scout deploys the proof, the CA verifies, the certificate issues – no manual steps.
Multi-CA support
Let's Encrypt, ZeroSSL, any ACME-compatible CA. Hub manages the relationship with each provider. You choose per domain or per policy.
Fallback strategies and retries
If the primary CA is unreachable or rate-limited, Hub escalates through fallback providers with exponential backoff. Renewal doesn't stall.
Audit trail for every renewal
Every ARI signal, every challenge response, every certificate deployment – logged with timestamps, reasons, and outcomes. Full accountability.
How ARI-driven renewal works
The CA signals the optimal renewal window. Hub listens. Scout executes. Certificates deploy before the old ones expire.
CA publishes optimal renewal timing per certificate
Policy check, deploy window, provider selection
ACME challenge, CSR, certificate install
Renews at a fixed percentage of lifetime – regardless of CA state or revocation events
Failures silently accumulate until the certificate expires
No awareness of CA-initiated early revocations or policy changes
CA signals the exact window – adapts to lifetime changes, revocations, and policy shifts
Escalating retries with fallback CAs – renewal doesn't depend on one provider
Immediate response to CA-initiated revocations – no waiting for the next cron cycle
ARI tells you when to renew. Hub policy tells you when to deploy. Define maintenance windows per environment, stagger rollouts across regions, and enforce approval gates for production certificates – all without losing the ARI timing advantage.
Scout discovers which endpoints need public automation – classifying each by trust model so the right certificates go to the right systems.
Built for public-facing infrastructure
Hundreds of edge nodes, each serving different domains. ACME ARI renews certificates at the edge without centralised coordination – each node handles its own challenges, guided by Hub policy.
Scale to thousands of endpoints. No single point of failure.
100+ domains across different providers and registrars. Hub tracks every certificate, every domain, every renewal window – and ensures each one renews from the right CA at the right time.
DNS-01 validation across Route 53, Cloudflare, and custom providers.
Certificate lifetimes are dropping to 47 days. Manual renewal at that cadence is unsustainable. ARI-driven automation handles the volume increase without adding operational burden.
For internal systems, Trust CA provides private certificates instead.
Part of [cyphrs]™ Hub
ACME ARI handles the public trust domain. It connects to every other module in the platform.
ACME ARI handles public endpoints. Trust CA handles private infrastructure – internal APIs, service mesh, RFC 1918 addresses. Hub routes each certificate to the right authority.
Scout discovers your TLS estate and classifies which endpoints need public vs private certificates. It then deploys as the ACME client – handling challenges and installing certificates.
Hub's policy engine governs renewal strategy – which CA to use, which domains get which provider, deploy windows, fallback chains, and approval workflows.
Stop renewing certificates manually
Early access is free. We're working with a small number of teams to shape the platform.