Everything it takes to stop expiring certificates
aethercert covers the full certificate lifecycle: issuance, DNS validation, deployment to the systems that actually serve traffic, and the visibility to trust that it happened.
Automated issuance and renewal, on any authority.
aethercert speaks ACME, so it can issue and renew certificates from Let's Encrypt, Google Trust Services, ZeroSSL, SSL.com, Actalis, or any self-hosted internal CA — without anyone remembering to run a command before expiry.
- Renewal runs on a schedule you set (e.g. 30 days before expiry) — no manual trigger needed
- Supports EAB-based public CAs and blank-template internal ACME servers alike
- Every certificate's full history — serial number, fingerprint, validity window — is kept in one place
Real deploy targets, not just files.
A renewed certificate is only useful once it's actually installed. aethercert's agent deploys directly into the systems that serve traffic, on Windows, on Linux, and on the hardware load balancers in front of them.
- Windows: Certificate Store, IIS (with binding update), Exchange, and ADFS
- Linux: NGINX, Apache, or any custom file path with your own reload command
- Hardware load balancers / ADC appliances: uploads and updates the certificate via the vendor's management API
Agent groups for fleets.
Running the same certificate across a cluster of identical servers behind a load balancer shouldn't mean configuring it N times. Put agents in a group and target the group once.
- One certificate, one job definition, fanned out to every current group member
- Add or remove an agent from a group at any time — future renewals follow automatically
- Renew-now and scheduled renewals both respect current group membership
Domain verification and DNS-01 automation.
Wildcard certificates and firewalled internal hosts both need DNS-01 validation. aethercert verifies domain ownership once, then automates the DNS challenge for every certificate on that domain.
- Ownership verified via a one-time DNS TXT record
- DNS-01 automation for Cloudflare, AWS Route 53, DigitalOcean, and Hetzner DNS
- HTTP-01 validation available for domains that don't need a DNS integration
Key types and export control.
Not every deploy target wants the same key. Choose the algorithm per certificate, and decide whether Windows targets are allowed to re-export the private key later.
- EC-256 (default), EC-384, RSA-2048, or RSA-4096
- Optional exportable private key for Windows Certificate Store, Exchange, and ADFS targets
- Keys are generated fresh for every issuance — never reused across renewals
One dashboard for the whole fleet.
Every agent, domain, certificate authority, and certificate lives in a single dashboard — searchable, sortable by expiry, and filterable by agent.
- Certificate detail view: status, SANs, target, CA, key type, fingerprint, and full validity window
- Agents view shows connection health and which certificates each one serves
- Manage screens for domains, CAs, agents, and agent groups — all self-service
Owner and member roles, with invite-based access.
No shared logins, no passwords in a wiki. Every organization supports owner and member roles — invite a teammate by email and revoke access instantly the moment they leave, without rotating a shared secret.
- Owner and member roles per organization, managed from Settings
- Invite by email — each teammate gets their own login scoped to your organization
- MSP owners inherit access to every customer workspace they manage, under one login
A full audit trail, not a support ticket.
When a renewal fails or a deployment doesn't take effect, you need to know why — immediately, not after filing a ticket and waiting.
- Every issuance, renewal, and deployment attempt is logged with its outcome
- Failed jobs surface their error inline on the certificate, in plain language
- The event log is searchable, so incident review doesn't mean grepping server logs