Overview

Certificate Syncs enable you to push certificates from Hanzo KMS to third-party services using App Connections.

Certificate Syncs are designed to automatically deploy certificates issued by your Certificate Authority to external services, ensuring your certificates are always up-to-date across your infrastructure.

Concept

Certificate Syncs are a project-level resource used to push certificates, via an App Connection, from Hanzo KMS to a third-party service (destination). When paired with server-side auto-renewal, renewed certificates are automatically synced to the destination, ensuring your certificates stay current.

%%{init: {'flowchart': {'curve': 'linear'} } }%%
graph LR
A[App Connection]
B[Certificate Sync]
C[Certificate 1]
D[Certificate 2]
E[Certificate 3]
F[Third-Party Service]
G[Certificate 1]
H[Certificate 2]
I[Certificate 3]

B --> A
C --> B
D --> B
E --> B
A --> F
F --> G
F --> H
F --> I

classDef default fill:#ffffff,stroke:#666,stroke-width:2px,rx:10px,color:black
classDef connection fill:#FFF2B2,stroke:#E6C34A,stroke-width:2px,color:black,rx:15px
classDef certificate fill:#E6F4FF,stroke:#0096D6,stroke-width:2px,color:black,rx:15px
classDef sync fill:#F4FFE6,stroke:#96D600,stroke-width:2px,color:black,rx:15px
classDef service fill:#E6E6FF,stroke:#6B4E96,stroke-width:2px,color:black,rx:15px
classDef subscriber fill:#FFE6E6,stroke:#D63F3F,stroke-width:2px,color:black,rx:15px

class A connection
class B sync
class C,D,E,G,H,I certificate
class F service
class J subscriber

Workflow

Configuring a Certificate Sync requires three components: The certificates that you'd like to push, a destination endpoint to deploy certificates to, and configuration options to determine how your certificates should be synced. Follow these steps to start syncing:

For step-by-step guides on syncing to a particular third-party service, refer to the Certificate Syncs section in the Navigation Bar.

Create App Connection: If you have not already done so, create an App Connection via the UI or API for the third-party service you intend to sync certificates to.

Create Certificate Sync: Configure a Certificate Sync in the desired project by specifying the following parameters via the UI or API:

Destination: The App Connection to utilize and the destination endpoint to deploy certificates to such as AWS Certificate Manager, Azure Key Vault, or Cloudflare Custom Certificate.
Certificates: The certificates you wish to push to the destination.
Options: Customize how certificates should be synced, including:
- Whether certificates should be removed from the destination when they expire.
- Whether to include the Root CA certificate in the certificate chain.
- Certificate naming schema to control how certificate names are generated in the destination.

Only certificates managed by Hanzo KMS will be affected during sync operations. Certificates not created or managed by Hanzo KMS will remain untouched, and changes made to Hanzo KMS-managed certificates directly in the destination service may be overwritten by future syncs.

Some third-party services do not support removing expired certificates automatically.

Utilize Sync: Selected certificates will now be pushed to the destination endpoint and automatically redeployed whenever they are renewed.

Hanzo KMS is continuously expanding its Certificate Sync third-party service support. If the service you need isn't available, contact us at team@kms.hanzo.ai to make a request.

Examples:

myapp-{{certificateId}} → myapp-abc123def456

ssl/{{certificateId}} → ssl/abc123def456

Rules:

Must include exactly one {{certificateId}} placeholder

Only alphanumeric characters, dashes (-), underscores (_), and slashes (/) are allowed

Certificate names matching your schema will be managed by Hanzo KMS during sync operations

Concept

Workflow

Certificate Naming

Default Naming

Custom Naming Schema

On this page