If you're not aware, the CA/B Forum over the next few years is slowly reducing the length of SSL certs down to 47 days on a schedule. In March of 2027 it will be 200 days, then 100 days in March 2028, and down to 47 days in March 2029. In my home setup earlier this year I previously bought the cheapest wildcard certificate as my setup was not equipped to automate certs that did not support DNS-01. My HA setup is operating on Split Brain DNS with the Nginx Proxy addon. With this combinded with Nabu Casa I was unable to do a proper DNS-01 setup leaving me with a manual SSL cert option.

Earlier this year while browsing in /r/selfhosted I stumbled upon Cert Warden and have been wanting to check it up.

Last night I stayed up for a few hours and was able to fully automate my SSL key management for Home Assistant and I plan on doing this for the apps that I can not place behind Traefik or have their own DNS-01 like Opnsense or my Synology. Cert Warden seems to be the perfect self hosted solution for this. The ability to do post process hooks and per key API keys is where it really shines. Unfortunately it doesn't do a backend HSM or encryption.

I've written about my process below. In this scenario it can be improved by feeding in the key material to remove API keys. The flow of this process is Cert Warden is the ACME Broker and the post processing of Cert Warden SSHs into the Home Assistant SSH container into a non protected mode which in turn executes an update script to call the Cert Warden API.

https://wesleyk.me/automating-home-assistant-certs-with-cert-warden