> ## Documentation Index
> Fetch the complete documentation index at: https://docs.certgovernance.app/llms.txt
> Use this file to discover all available pages before exploring further.

# What is CertForge?

> Certificate governance for organizations that need to know what's trusted on their network and why.

CertForge is a certificate governance platform that gives security and operations teams a single place to define which domains can receive certificates, who must approve them, which CA issues them, and a complete audit trail of every issuance, renewal, and download.

Developers get a standard ACME endpoint. Security gets policy enforcement and approval workflows. Everyone gets a dashboard instead of a spreadsheet.

## Why CertForge

Most organizations accumulate certificate chaos over time: dev teams self-signing and ignoring browser warnings, ops manually tracking renewal dates and missing them, security with no visibility into what's trusted where, and ACME automation bolted on per-application with no central policy.

The result is outages from expired certs, shadow CAs no one controls, and audit findings because there's no record of who approved what.

CertForge is the governance layer that sits in front of your CAs — public ACME or internal — and enforces the rules your organization actually needs.

## Two deployment options

<CardGroup cols={2}>
  <Card title="Cloud (Hosted)" icon="cloud" href="https://app.certgovernance.app/signup">
    Managed by CertForge. No infrastructure to run. Free tier available. Ideal for teams that want to get started immediately.
  </Card>

  <Card title="Self-Hosted" icon="server" href="/self-hosted/quick-start">
    Run the binary on your own infrastructure. Full data sovereignty. License required. Ideal for air-gapped environments and compliance-sensitive organizations.
  </Card>
</CardGroup>

## Key features

* **Certificate Discovery** — automatically surfaces every certificate in your environment via CT log scanning, active TLS scanning, and CA connector imports; each cert receives a governance status (tracked, untracked, or ungoverned) and is evaluated against your policy for violations
* **CA Connectors** — import your entire existing certificate inventory from external CAs (DigiCert, Sectigo, internal CAs) via lightweight connector binaries; discovered certs appear in the dashboard alongside CertForge-issued certs
* **Domain Trust Profiles** — policy objects that define which domains can get certs, which CA issues them, who must approve, allowed EKU, wildcard rules, max validity days, and key requirements
* **Approval workflows** — human-in-the-loop approval with full audit trail; SOC 2 and ISO 27001 compatible; configurable mandatory approval reasons
* **ACME endpoint** — drop-in replacement for Let's Encrypt clients; works with certbot, acme.sh, and any RFC 8555 client
* **Internal CA** — built-in CA for internal domains; no external CA required for private PKI
* **Applications** — group hostnames and cert configurations under named applications with owners; enables application-level coverage tracking and targeted expiry notifications to the right people
* **Inventory** — unified view of all discovered and issued certificates; classify by governance status (Governed, Monitored, Externally Managed), bulk-assign to Trust Profiles, and renew governed certs directly from the inventory
* **Kubernetes / cert-manager** — native cert-manager external issuer (`certforge-issuer`) routes cluster certificate requests through CertForge policy; existing cert-manager `Certificate` manifests work unchanged, policy is enforced transparently
* **Dashboard** — real-time KPIs across your entire certificate estate: CertForge Managed, CA Inventory, Tracked, Expiring ≤30 Days, and Ungoverned; with pending approval queue and recent activity feed
* **REST API** — full programmatic access for CI/CD pipelines, custom tooling, and integrations; token-authenticated
* **Alerts** — configurable rules for expiring certs, stale approval queues, and failing issuance; application owners receive targeted notifications listing only their application's certs
* **Reports** — built-in reports for certificate inventory, expiring certs, application coverage, and approval activity; subscribe to scheduled email delivery from your profile
* **Notifications** — org-level notification channels: Webhook, Slack, Microsoft Teams, Webex; used for alert delivery, approval requests, and approval outcomes
* **SSO / OIDC** — integrate with any OIDC provider (Keycloak, Okta, Azure AD, etc.) for single sign-on
* **Compliance frameworks** — assign SOC 2, ISO 27001, PCI-DSS, or HIPAA to enforce policy requirements and generate audit evidence
* **AI risk assessment** — automatic risk scoring on approval requests with reasoning, stored in the audit trail
* **DNS account management** — configure DNS provider credentials in the UI (Cloudflare, RFC 2136); linked per Domain Trust Profile for automated ACME DNS-01
* **SIEM integration** — forward all audit events to your SIEM via HTTPS webhook or UDP syslog in JSON or CEF format (Enterprise tier)
* **Audit log** — immutable hash-chained record of every certificate, approval, and admin action; filterable by org, event type, actor, and date; exportable as CSV or JSON
* **Tamper-evident audit chain** — every approval decision is cryptographically linked in a hash chain: each record's SHA-256 hash covers the record content plus the previous record's hash. This proves to auditors that no certificate was issued without authorization and that the log has not been altered. Chain integrity is verifiable on demand from the UI.

## Trust & security

CertForge is built for security-sensitive environments. The platform enforces policy before any certificate is issued, maintains a cryptographically protected audit trail, and supports MFA, SSO, and org-level isolation out of the box.

<Card title="Security model" icon="shield-halved" href="/security">
  Authentication, authorization, audit trail integrity, encryption, and responsible disclosure — full security documentation for security-conscious buyers and compliance teams.
</Card>
