Automatic TLS certificate management in a SaaS environment

For our newest product Authentick Translate, we automatically issue TLS/SSL certificates for our users and their websites. Here we explain how.

 min read

For our newest product Authentick Translate, we automatically issue TLS/SSL certificates for our users and their websites. We have received some questions on how this works and will explain this in this blog post.

As we offer a generous plan for free users, we needed to ensure our approach would not incur prohibitively high expenses for issuing certificates. So when we researched our options, we always had to keep cost and simplicity in mind.

Nowadays, these would be the options when it comes to automated TLS/SSL certificate management:

Use a Content-Delivery-Network (CDN) service such as Cloudflare for SaaS providers.

  • Pro: Benefit from caching responses on the CDN, resulting in reduced server load.
  • Contra: Requires negotiating a custom pricing for Cloudflare Enterprise.

Use a Google Cloud/Amazon Web Services (AWS) load balancer and request certificates using API.

  • Pro: No need to deal with key management and issuance.
  • Contra: Limited amount of certificates supported per load balancer, resulting in expensive bills.

Handle certificate handling on your own.

  • Pro: Can use free TLS certificates from root authorities such as Let’s Encrypt or ZeroSSL.
  • Contra: We need to deal with key management and issuance for each of our users' websites.

Due to the relatively high cost to enter using one of these services, we have decided to handle key management on our own. Doing this on our own does, however, introduce a lot of coding and infrastructure requirements to keep our users' websites secure and reliable.

Our current infrastructure looks - very simplified - like this following ASCII graph. The graph notably excludes many details such as backups, auto-scaling, load-balancing, CI/CD, and more.

As you can see, we are offloading our traffic using the Caddy web server. This open-source webserver is highly customizable using Golang. We use Caddy for TLS offloading and certificate issuance.

When a request comes in, there are two possible scenarios. Either there is already a certificate existing on the Redis backend or not.

If a certificate already exists, Caddy will use it and forward the request to the application server without further checks.

If no certificate exists, Caddy will check if the backend permits the domain name. The backend will perform some checks, such as looking up the customer in the database and verifying quota and DNS entries. If the domain is permitted, Caddy will issue a TLS certificate on the stop using the TLS-ALPN challenge and Let's Encrypt or ZeroSSL.

If you are curious how a sample Caddyfile could look like below, you should check out the examples on the Caddy website. You would still need to implement the distributed storage, autoscaling as well as backend checks yourself. The relevant configuration options would be:

Want to see this all in action and translate your website? Give our latest product Authentick Translate a try today and translate your website in seconds. 

We also provide custom consulting for scaling your infrastructure around the subject of TLS certificate management. Contact us now.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.