Dashboard reference

This page documents every screen in the dashboard and every setting on it. The left sidebar in the app groups screens into View, Build, Manage, Monitor, and Settings — this reference follows the same order. Availability of some settings depends on your plan; those are flagged inline.

View

The read-only overview of your fleet. View > Certificates lists every certificate sorted by expiry; clicking one opens a detail sheet. View > Agents lists connection health.

aethercert.com/dashboard/certificates
Certificates Search
Common nameAuthorityTargetExpiry
Issuedapp.example.comLet's Encryptweb-fleetin 71 days
Deployed*.internal.corpCorp Issuing CAadcs-01in 40 days
Renewingmail.example.comGoogle Trustexch-01in 12 days
Errorvpn.example.comLet's Encryptns-adcfailed
View › Certificates — every certificate, sorted by expiry, with live status.

Certificate detail sheet

Opening a certificate shows its full record and per-certificate actions:

SettingValuesWhat it does
Status
Issued · Deployed · Renewing · Failed · Revoked
Where the certificate is in its lifecycle. A failed job surfaces its error inline, in plain language.
Common name & SANs
The identities the certificate covers.
Authority / Target / Key type
Which CA issued it, which agent or group serves it, and the private-key algorithm.
Serial · Fingerprint · Validity
The issued certificate's serial number, SHA-256 fingerprint, and not-before/not-after window — reported by the agent, never the key itself.
Renew now
action
Queues an immediate renewal job for the certificate's current target.
Revoke
action
Queues a revoke job that calls the CA's real revoke operation (ACME or internal REST), not just a local status flip.
Edit
action
Opens the edit dialog; saving reissues with the new configuration (see Manage › Jobs).

Build — the Certificate Job

Build > Certificate Job is the main form: it ties a common name, an authority, a deploy target, and a schedule together and queues the issue job. A visual equivalent lives at Build > Certificate Job (Flow), a node-based builder for the same underlying job.

aethercert.com/dashboard/build/certificates
New certificate job
Domain
example.com
Certificate authority
Let's Encrypt
Common name
app.example.com
Private key type
EC-256
Deploy target · Linux / NGINX
Certificate path
/etc/ssl/certs/app.pem
Reload command
systemctl reload nginx
Create jobAuto-renew · 30 days before expiry
Build › Certificate Job — domain, authority, target, and renewal in one form.

Certificate section

SettingValuesWhat it does
Domain
optional
Pick a verified domain to enable DNS-01 and enter hostnames as just the subdomain label — the domain is appended automatically, so you can't produce a hostname DNS-01 can't cover. Leave empty for HTTP-01 or internal CAs.
Certificate authority
Which CA issues this certificate. On the Free plan only Let's Encrypt is selectable; internal domains require an Internal CA (REST).
Certificate template
internal_rest only
Shown when the selected CA is a paired connector. Chooses the AD CS template; leave as “Connector default” to use the one it was installed with. Inline hints warn about client-auth or subject-from-AD templates.
Common name
The primary hostname. With a domain selected, enter only the label (e.g. app) and the domain is appended.
Subject alternative names
0..n
Additional hostnames on the same certificate. Add or remove rows freely.

Target section

SettingValuesWhat it does
Target
Single agent · Agent group
Issue to one server, or fan out to every current member of a group. Agent groups require the Standard plan.
Agent / Agent group
Which agent (or group) receives the issue job. A group re-resolves to its current membership on every renewal.

Renewal section

SettingValuesWhat it does
Auto-renew
toggledefault on
When on, the control plane queues a renewal job automatically before expiry.
Renew this many days before expiry
daysdefault 30
How far ahead of not-after a renewal is triggered.
Private key type
EC-256 · EC-384 · RSA-2048 · RSA-4096default EC-256
Algorithm generated for each issuance (under Advanced options). Free plan is limited to EC-256; some AD CS templates enforce a minimum RSA size.

Build — Deploy target settings

The deploy target tells the agent what to do with the certificate once issued. Pick a Deploy target OS (Linux, Windows, Third-party) and then a preset. The fields below appear per preset. See Deploy targets for behavioural detail.

Linux — NGINX / Apache / Custom

All three write files and run a reload command; only the default reload command differs.

SettingValuesWhat it does
Certificate path
required
Where the leaf certificate (PEM) is written, e.g. /etc/ssl/certs/app.pem.
Key path
required
Where the private key (PEM) is written, e.g. /etc/ssl/private/app.key.
Chain path
optional
Where the issuer chain is written, if your server wants it separately.
Reload command
optional
Run after the files land. Pre-filled to systemctl reload nginx / apache2 for those presets; blank for Custom.
HTTP-01 webroot
optional
Set to serve HTTP-01 challenges from an existing web root (e.g. /var/www/html) instead of binding port 80. Skip when using DNS-01.

Windows — Certificate store / IIS

SettingValuesWhat it does
Store location
default LocalMachine
Certificate store location (LocalMachine or CurrentUser).
Store name
default My
Certificate store name to import into.
IIS site name
IIS preset only
The IIS site whose HTTPS binding is created/updated (e.g. Default Web Site).
IIS binding host / port
optional
Host header and port for the binding (port defaults to 443). IIS binding requires the Standard plan.
Allow private key export
toggledefault off
Whether Import-PfxCertificate marks the key exportable. Requires the Standard plan.

Windows — Exchange

SettingValuesWhat it does
Services to enable
IIS · SMTP · POP · IMAP
Which Exchange services the certificate is enabled for via Import-ExchangeCertificate. Assumes the agent runs on the Exchange server with the Management Shell present.
Allow private key export
toggledefault off
Marks the imported key exportable. Requires the Standard plan.

Windows — ADFS

SettingValuesWhat it does
Certificate usage
Service communications · Token signing · Token decryptingdefault Service communications
How the certificate is assigned in ADFS. Assumes the agent runs on the ADFS server with the ADFS PowerShell module present.
Allow private key export
toggledefault off
Marks the imported key exportable. Requires the Standard plan.

Third-party — Citrix NetScaler (Nitro API)

SettingValuesWhat it does
Management URL
required
The NetScaler/ADC management endpoint, e.g. https://ns.example.com. Works from an agent on either OS — it's a pure HTTPS call.
Username
required
Nitro API user.
Password
required
Stored encrypted in Supabase Vault, never returned to the browser. When editing, leave blank to keep the current one.
Cert key name
required
Name of the sslcertkey object created/updated on the appliance.
Allow self-signed TLS on the management API
toggledefault off
Skip TLS verification of the management endpoint. It uploads cert+key and creates/updates the sslcertkey but does not bind it to a vserver — do that in NetScaler.

Manage

The Manage screens are where the things a certificate job needs get created and edited.

Manage > Agents

Create an enrollment token (see Installing the agent) and manage enrolled agents. Editing an agent exposes:

SettingValuesWhat it does
Name
Display name for the agent.
Check-in interval
10–3600 secondsdefault 300
How often the agent checks in when idle. It still checks in sooner on its own whenever there's a queued job or an update. Leave empty for the default.
Group
none · a group
Assign the agent to an agent group (an agent belongs to at most one).
Revoke
action
Immediately stops the agent from authenticating. Irreversible from the agent's side — it must be re-enrolled.
Delete
action
Removes the agent record. Blocked if certificates still target it — reassign or delete those first.

Manage > Agent Groups

Create and rename groups. A certificate targeting a group issues one job per current member. See Agent groups.

SettingValuesWhat it does
Name
Group name. Requires the Standard plan to create or target.
Members
Managed from each agent's Group setting. Membership is re-evaluated on every renewal, so adding/removing an agent changes future rollouts automatically.

Manage > Domains

Add domains, verify ownership, and connect a DNS provider for DNS-01. See Domains & DNS-01.

SettingValuesWhat it does
Domain name
The apex or delegated domain you'll issue for.
Internal domain
toggledefault off
Marks a domain that isn't publicly resolvable. It skips DNS-TXT verification and requires an Internal CA (REST) — ACME challenges aren't available for internal-only names.
Ownership verification
TXT record
A one-time _aethercert-challenge TXT record proves control; verified with the Verify button.
DNS provider
Cloudflare · Route 53 · DigitalOcean · Hetzner
Connect provider credentials so DNS-01 challenges are solved automatically. Credentials are tested before saving and stored write-only in Supabase Vault.

DNS provider credential fields

Cloudflare: a scoped API token (Zone:DNS:Edit + Zone:Zone:Read). Route 53: access key ID, secret access key, region, and optional hosted zone ID. DigitalOcean / Hetzner: an API token with write scope. Full per-provider steps are in the DNS guides.

Manage > Certificate Authorities

Add the CAs certificates can be issued from. See Certificate authorities.

SettingValuesWhat it does
Name
Display name for the CA.
Type
ACME CA (public or internal) · Internal CA (REST)
ACME covers Let's Encrypt, other public CAs, and self-hosted ACME servers; Internal REST is for a generic signing endpoint or an AD CS connector.
Provider (ACME)
preset list
Pre-fills the directory URL and whether EAB is required for Google Trust Services, ZeroSSL, SSL.com, Actalis, Let's Encrypt staging, or a custom server.
ACME directory URL
The CA's ACME directory endpoint.
EAB key ID / HMAC key
required for most public CAs
External Account Binding credentials generated in the CA's own dashboard; needed before registration is accepted.
Internal REST: Base URL / Signing path / API key
Where CSRs are POSTed (default path /sign) and the bearer key to authenticate. Or tick “provision via a CA connector” to have these filled in on pairing.
Allow self-signed TLS
toggledefault off
Skip TLS verification when calling an internal REST CA over a self-signed endpoint.

Manage > CA Connectors

For an Internal CA (REST), the Connector panel mints a one-time pairing token for the Windows CA connector and shows its liveness and discovered templates once paired. The connector install is covered in Installing the agent.

Manage > Jobs

The full job history, with per-job and per-certificate actions:

SettingValuesWhat it does
Edit certificate
action
Opens the full edit dialog (all fields above). Saving reissues the certificate with the new configuration.
Cancel
queued jobs
Cancels a job that hasn't started yet.
Retry
failed jobs
Requeues a failed job (attempts reset). Jobs auto-retry up to 3 times before being marked failed.
Delete
action
Removes a job from the history.

Monitor — Event Log

Monitor > Event Log records every issuance, renewal, deploy, and administrative action with its outcome, searchable for incident review. Retention is 7 days on Free and 1 year on paid plans.

aethercert.com/dashboard/monitor
OKcertificate.issuedapp.example.com issued (EC-256, 90 days)2m ago
OKjob.succeededdeploy job succeeded on web-012m ago
OKcertificate.renewed*.internal.corp renewed via Corp Issuing CA1h ago
Retryjob.retry_scheduledvpn.example.com deploy failed, retrying (2/3)3h ago
Monitor › Event Log — every issuance, renewal, and deploy attempt, searchable.

Settings

Settings > Account

SettingValuesWhat it does
Display name
Your name as shown in the app.
Marketing consent
toggle
Opt in/out of product emails; the timestamp of your choice is recorded.
Export my data
action
Downloads your personal profile and organization memberships as JSON (GDPR Art. 20). Rate-limited to once per hour.
Delete account
action
Erases your account and any organization you solely own (GDPR Art. 17). Requires a completed second factor (MFA), and is blocked if it would strand other members or MSP customer workspaces — promote another owner first.

MFA is mandatory

Every session must complete a second factor. Sensitive, irreversible actions (deleting an account, accepting an org invite) re-check for a full MFA session server-side, not just in the browser.

Settings > Organization

SettingValuesWhat it does
Organization profile
owner only
Name, contact name, address, email, and phone. The plan is not editable here — it changes only through billing.
Active organization switcher
MSP owners switch between their own workspace and each customer workspace from the sidebar; the choice is remembered per session.

Settings > Organization > Billing

SettingValuesWhat it does
Plan
Free · Standard · MSP
Free (1 cert, 1 agent, Let's Encrypt only), Standard (unlimited, all CAs/targets/keys, agent groups), MSP (Standard for you plus customer workspaces). Owner only.
Customer slots
MSP only
Number of customer workspaces beyond the included 5, billed as an add-on per extra customer. Managed via Stripe checkout / billing portal.
Billing portal
action
Opens Stripe's customer portal to manage payment method, invoices, and cancellation.

Settings > Organization > Members

SettingValuesWhat it does
Invite by email
owner only
Sends a single-use invite link (also shown in-app as a fallback). Role is chosen at invite time.
Role
Owner · Member
Owners manage billing, members, customer orgs, and profile; members operate certificates and agents. The last owner can't be demoted or removed.
Remove member / revoke invite
action
Instantly removes access — no shared secret to rotate.

Plans gate settings, not screens

You can always see every control; plan-restricted ones are disabled with an upgrade hint rather than hidden, and the server enforces the same limits. The full matrix is on the pricing page.