With the release of regfish certbro, there is now an open source Linux CLI that combines certificate ordering, DNS DCV, certificate download, key rotation, and deployment in one tool. This recipe is the fastest production-oriented entry point: install the current binary, configure API access, roll out a certificate, and enable unattended renewals.

Under the hood, certbro uses the regfish TLS API and DNS API, creates the required dns-cname-token validation records on its own, deploys stable PEM paths under live/, and keeps versioned material under archive/.

You can find the source code and releases in the regfish/certbro GitHub repository. If you want to inspect the code or contribute, note that certbro is an open source project by regfish GmbH.

Prerequisites

• Linux
• a regfish API key with access to TLS and DNS
• a DNS zone that is managed through regfish DNS
• systemd, if you want to use certbro install

API keys can be created and managed in the regfish console.

Step 1: Install the current release

For the fastest setup, install the current Linux release directly through the installer:

curl -fsSL https://install.certbro.com/rf | sh

If you want a reproducible rollout pinned to a specific version, set CERTBRO_VERSION explicitly. For the first release, that can look like this:

curl -fsSL https://install.certbro.com/rf | CERTBRO_VERSION=v0.1.0 sh

Step 2: Configure API access

The starter commands below intentionally stick to the defaults. certbro already uses /etc/certbro/state.json as the state file and /etc/certbro as the managed certificates root, and it derives the certificate directory from that root and the common name. Add --state-file, --certificates-dir, or --output-dir only when you want different paths.

sudo mkdir -p /etc/certbro

sudo certbro configure \
  --api-key YOUR_REGFISH_API_KEY

Step 3: Issue and deploy the first certificate

Now order the certificate, let DNS validation be handled automatically through regfish DNS, and deploy the result into a stable target directory.

sudo certbro issue \
  --name example-com \
  --common-name example.com \
  --dns-name www.example.com \
  --webserver nginx

This run creates fresh key material, orders the certificate, provisions the required DCV CNAME records through regfish DNS, and writes the deployment to the default path /etc/certbro/example.com. Inside that directory, certbro keeps stable PEM paths under live/ and versioned snapshots under archive/.

This first issue example also leaves out default flags such as the default DV product and the default key settings. Add --product, --key-type, or --ecdsa-curve only when you intentionally want a non-default setup.

With --webserver nginx, you use the built-in validation and reload support. The same approach also works for apache and caddy.

Step 4: Test renewals manually once

After the first successful issue, run the renewal flow manually once before leaving it fully unattended.

sudo certbro renew

If issuance is still pending after a timeout, just run the same command again. certbro continues watching the same request.

Step 5: Install the hourly renewal timer

For ongoing operation, install the bundled systemd timer:

sudo certbro install

That gives you unattended hourly renewals based on the same local state and certificate directory.

Common extensions for production setups

• multi-domain certificates: repeat --dns-name for each SAN
• organization-validated products: pass --org-id hdl_... from /tls/organization or use the staged OV flow with Console completion
• parallel RSA and ECDSA operation: certbro issue-pair
• existing regfish orders: import them via certificate_id
• immediate replacement: certbro renew --name example-com --force
• one-off lifetime override: certbro renew --name example-com --force --validity-days 30
• quiet automation output: use --quiet on issue or renew
• without --validity-days, certbro uses a date-based default aligned with the CA/B Forum timeline: 199 days from 2026-03-14, 99 days from 2027-03-14, and 46 days from 2029-03-14

Result

With this workflow, you can bring regfish certbro straight into a production Linux setup: ordering, DNS DCV, key rotation, deployment, and renewals run through one tool instead of separate scripts or raw API calls.