Certificates & Identity

Ghostunnel supports a variety of certificate sources, from plain PEM files on disk to hardware-backed keys and automatic certificate management protocols.

Certificate Formats

Supported certificate and key formats, how to prepare them, and how Ghostunnel selects the right loader.

ACME Support

Automatically obtain and renew public TLS certificates via Let's Encrypt or other ACME certificate authorities.

SPIFFE Workload API

Automatically manage certificates and trusted roots via SPIRE or other SPIFFE-compatible workload identity providers.

HSM/PKCS#11 Support

Load private keys from hardware security modules via the PKCS#11 interface.

Keychain Support

Load certificates and private keys from the macOS Keychain or Windows Certificate Store, including hardware-backed keys.