Automated ACME SSL/TLS certificate management built around Azure Key Vault (App Service / Container Apps / Application Gateway / Front Door / CDN / others)
Acmebot was created to address the following requirements:
- Securely store SSL/TLS certificates with Azure Key Vault
- Centralize management of large numbers of certificates with a single Key Vault
- Easy to deploy and configure solution
- Highly reliable implementation
- Easy to monitor (Application Insights, Webhook)
Acmebot uses Azure Key Vault to provide secure and centralized management of ACME certificates.
- Issue certificates for Zone Apex, Wildcard and SANs (multiple domains)
- Dedicated dashboard for easy certificate management
- Automated certificate renewal
- Support for ACME v2 compliant Certification Authorities
- Let's Encrypt
- ZeroSSL (Requires EAB Credentials)
- Google Trust Services (Requires EAB Credentials)
- SSL.com (Requires EAB Credentials)
- Entrust (Requires EAB Credentials)
- Certificates can be used with many Azure services
- Azure App Service (Web Apps / Functions / Containers)
- Azure Container Apps (Include custom DNS suffix)
- Front Door (Standard / Premium)
- Application Gateway v2
- API Management
- SignalR Service (Premium)
- Virtual Machine
This fork includes additional features not present in the upstream repository:
Add custom metadata tags to Key Vault certificates during creation to organize and track certificates with flexible metadata (e.g., "Customer: Kraft", "Stage: production"). Tags are managed through the dashboard UI and stored directly in Azure Key Vault.
Key Features:
- Add/remove custom tags via dashboard UI
- Tags stored as Key Vault certificate metadata
- Protected system tags (Issuer, Endpoint, DnsProvider, DnsAlias) cannot be overwritten
- View certificate tags in certificate details modal
Streamlined workflow for Application Gateway certificate deployments requiring specific Azure infrastructure tags. Provides a dedicated UI mode enforcing mandatory fields: EntraID, SubscriptionID, and KeyVaultName.
Key Features:
- Toggle "Application Gateway Integration" mode in dashboard
- Enforced validation for 3 required Azure infrastructure tags
- Compatible with custom tags feature (tags can be combined)
- Client-side validation for internal use
Opt-in certificate replication to a secondary Key Vault in a different region for disaster recovery. When enabled for a certificate, after issuance the complete certificate (including private key) is exported from the primary vault and imported into the DR vault, ensuring both vaults stay in sync.
Key Features:
- Per-certificate opt-in via "DR Vault Replication" toggle in the Add Certificate dialog
- Full certificate parity — cert, private key, and all tags are replicated to DR vault
- DR failure is blocking: if replication fails, the operation surfaces an error so issues are investigated rather than silently ignored
- Renewal inherits DR replication flag automatically — no manual re-enabling required
Configuration:
- Set
Acmebot:DrVaultBaseUrlapp setting to the DR Key Vault URI - Grant the function app managed identity
Key Vault Certificates Officeron the DR vault - Grant the function app managed identity
Key Vault Secrets Useron the primary vault
| Azure (Public) | Azure Government |
|---|---|
Post-deployment: Authentication required. Fresh deployments from the ARM template do not have authentication configured. The dashboard will return 401 Unauthorized until an identity provider is set up:
- Portal → Function App → Authentication
- Click Add identity provider → Select Microsoft
- Set Unauthenticated requests to
HTTP 302 Found (Redirect) - Save
For detailed setup instructions, see: Getting Started
- keyvault-acmebot by @shibayan and contributors
- ACMESharp Core by @ebekker
- Durable Functions by @cgillum and contributors
- DnsClient.NET by @MichaCo
This project is licensed under the Apache License 2.0