Skip to content
Enterprise
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial
Datargo OneEnterprise Single-pane-of-glass cockpit for enterprises. All modules from one source. Learn more
Flagships
Datargo Monitor Availability and security posture. Datargo CRM Support hub for every brand.
Operations & commerce
Datargo ID SSO and MFA for the whole suite. Datargo ERP GoBD-compliant commercial core.
Trust & crypto
NextPKINew Certificate lifecycle, 47-day ready.
Bundle of the month
Reliability Bundle

Datargo Monitor + NextPKI as a single billed package. NIS2 evidence and certificate lifecycle from one cockpit.

Learn more
By outcome
Reliability & security NIS2 evidence from monitoring + incident. Customer service hub Live chat, tickets, multi-brand. Identity & SSO One identity for all modules.
By compliance
NIS2-Evidence Evidence at the press of a button. DORA resilience Financial sector, register of information. ISO 27001 & GoBD Annex A controls and e-invoicing.
By size
Solo & indie team Productive in 5 minutes. Mid-market SSO, audit trail, multi-brand. Enterprise & public sector Hundreds of seats, region pinning.
Sovereignty Kit
NIS2 evidence package

Ready-made Datargo Monitor and Datargo CRM controls, mapped against NIS2 obligations. Start straight into the pilot.

Read the NIS2 whitepaper
Learn
Documentation Module guides, API reference, quick start. Best-practice guides NIS2 setup, multi-brand Datargo CRM, SSO rollout. Blog Release notes, compliance news, roadmap.
Trust
Trust Center Hosting, certificates, sub-processors. Status-Page Live availability of all Datargo modules. Legal & privacy DPA, sub-processor list.
Customers
Customer stories Case studies from finance, public, tech. Partner program System integrators, implementers, MSPs. Events & webinars it-sa, EIC, NIS2 roadshows.
From the cockpit
47-day TLS from 2029

NextPKI is already prepared for the new CA/B Forum reality. Whitepaper and migration guide available now.

Read the whitepaper
Platform Datargo Monitor Datargo CRM Datargo ID Datargo ERP NextPKI
Datargo One Pricing Compliance
Language
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial Book a call
Skip to content
PKI & Certificates

ACME Beyond the Web Server: Certificate Automation for Internal Services and mTLS

17.03.2026 · 3 min read

Short lifetimes can only be managed through automation. Why internal PKI, service mesh and mTLS follow different patterns than the public web, and how ACME works behind the firewall too.

Shortening public TLS lifetimes towards an eventual 47 days has created an awareness that manual renewal no longer scales. What often gets overlooked: inside a company there are usually far more certificates than at the outward-facing edge. Service-to-service communication, mTLS in a service mesh, internal APIs and database connections all live on certificates, and these follow different patterns than the public web.

Why “internal” does not mean “simpler”

At the public web server the situation is tidy: a handful of domains, a public CA, a clearly defined validation path. Internally the ratio inverts. Here there are often hundreds or thousands of short-lived endpoints that appear and vanish dynamically, for instance when an orchestrator starts new containers. An internal CA issues certificates for them that nobody sees publicly, but which expire just the same, must renew just the same, and take down a service just the same when they fail.

The difference from the public world is therefore not lesser importance, but higher frequency and dynamism. With mTLS, where both sides authenticate each other with a certificate, the number of identities to manage doubles on top of that.

ACME is not just for Let’s Encrypt

ACME (RFC 8555) became known as the protocol for automatic issuance and renewal, above all through Let’s Encrypt on the public web. The protocol itself, however, is CA-agnostic. An internal CA can offer an ACME interface, and then internal services renew themselves through the same mechanism, without anyone ordering a certificate by hand.

For internal validation, different challenge types apply than on the public web. The HTTP challenge common for public domains rarely fits internal services. Instead, DNS-based methods or, depending on the environment, platform-bound identity proofs come into play. Service meshes partly solve this internally through their own identity layer and short-lived certificates with lifetimes of hours rather than weeks.

What makes the difference

Three capabilities decide whether internal automation holds.

Discovery facing inward too. The dangerous outage is rarely the well-tended front-end certificate. It is the forgotten one on an internal service, an appliance, or in a cluster nobody actively watches anymore. An inventory must capture internal endpoints as much as public ones.

A CA-agnostic view. In environments that have grown over time, several CAs usually coexist: a public one for the outer edge, one or more internal, and perhaps a cloud-native one. Management that offers a unified view and unified renewal across all of them prevents each CA from becoming its own island with its own gaps.

Renewal with control. Full automation is the goal, but not at the price of lost traceability. Where needed, automatic renewal includes a documented approval and logging step, so that even at high frequency it stays clear what was issued when.

Exactly this pattern, discovery first, then CA-agnostic automation with approval, underlies our NextPKI module. The thrust, though, holds independently of any tool: whoever masters the short lifetimes of the outer edge but overlooks the interior has not got the actual volume under control.

The 47-day discussion is a good occasion to widen the view. Most of a company’s certificates are not in the shop window, but in the engine room.

Back to the blog

Datargo Datargo

The European Business Operations Platform. Monitoring, customer service, identity, accounting, and certificates in one sovereign suite. Auditable by design. Made in Germany.

EU hosting, Frankfurt GDPR-native Made in Germany
Platform
  • Datargo One
  • Datargo Monitor
  • Datargo CRM
  • Datargo ID
  • Datargo ERP
  • NextPKI
Solutions
  • Reliability & Posture
  • Customer service hub
  • Identity & SSO
  • Commerce & GoBD
  • Scaling
Compliance
  • NIS2 evidence
  • DORA resilience
  • ISO 27001 mapping
  • GoBD & e-invoicing
  • Sovereignty
Industries
  • Financial services
  • Public sector
  • Health & pharma
  • Industry & TISAX
  • SaaS & tech
Resources
  • Trust Center
  • Documentation
  • Status page
  • Customer stories
  • Partner program
  • Blog
Company
  • Datargo One for enterprises
  • Start your 90-day trial
  • Book a call
  • Contact
  • Careers
© 2026 Datargo GmbH. All rights reserved.
Imprint Privacy Terms DPA SLA Sub-processorsDORA / NIS2
Germany · English

Datargo® and Databurg® are registered trademarks of Datargo GmbH. All other product names, logos, and trademarks mentioned are the property of their respective owners.

Cookies & optional features. Datargo uses technically necessary cookies. Optionally we enable comfort features such as our live-chat support, an in-house Datargo service that processes personal data in the process. You can accept everything or keep only the necessary cookies.

More in the privacy policy