Domains & DNS-01

Every domain is verified once, before it can be attached to any certificate. DNS-01 is one of two ways aethercert proves control of a hostname to a certificate authority - the other is HTTP-01, which needs no DNS provider at all but can't issue wildcard certificates.

Verifying a domain

Add the domain under Build > Domains. You'll get a DNS TXT record to create at your registrar or DNS host. Once it's published, verification is a single check - no waiting period beyond normal DNS propagation.

Connecting a DNS provider (optional)

If a domain only ever needs HTTP-01 certificates, you can stop after verification. Connect a DNS provider when you need wildcard certificates, or the certificate covers a hostname that isn't (yet) publicly reachable over HTTP - DNS-01 doesn't require that.

  • Cloudflare - A scoped API token (My Profile > API Tokens > Custom token) with Zone:DNS:Edit and Zone:Zone:Read on the target zone. Both are required - Zone:Read looks up the zone ID before DNS:Edit can create the TXT record.
  • AWS Route 53 - An IAM user or role scoped to route53:ChangeResourceRecordSets on the hosted zone.
  • DigitalOcean - A Personal Access Token with write scope (API > Tokens).
  • Hetzner DNS - An API token from the Hetzner DNS Console (API Tokens).

Full walkthroughs: Cloudflare, Route 53, DigitalOcean, Hetzner DNS.

Credential storage

DNS provider credentials are write-only from the dashboard's point of view: once saved, they're never echoed back to the browser again, only used server-side (and by the agent, over an authenticated connection) to create the TXT records ACME challenges require.