Solutions · Internal & private CA

Your own CA, automated the same way.

Not every certificate should come from a public authority. aethercert brings the same hands-off issuance and renewal to your private PKI — a self-hosted ACME server, a REST signing endpoint, or Active Directory Certificate Services through a lightweight connector — without your CA ever touching the public internet.

Your internal network

aethercert agent

web-01

CA connector

adcs-01

AD CS

your private CA

CSR signing is direct, agent → connector → CA. It never leaves your network.

liveness & discovered templates only — never CSRs or keys

aethercert control plane

schedules & tracks

Two ways to connect a private CA

Point aethercert at any ACME-speaking internal CA (step-ca, EJBCA, smallstep, your own Boulder) as an internal ACME authority, or at a plain HTTP sign/revoke endpoint as an internal REST authority. Either way, issuance and renewal are automated exactly like a public CA.

A connector purpose-built for AD CS

For Active Directory Certificate Services, install the CA connector on the CA host. It discovers your certificate templates, signs CSRs with certreq/certutil against the CA on that machine, and answers your fleet agents directly — no ACME shim, no re-platforming your PKI.

Template-aware issuance

Pick the AD CS template per certificate. The dashboard surfaces the templates the connector discovered, and warns inline when a template is for client authentication, builds its subject from Active Directory, or enforces a minimum key size.

Trust model

Built so private stays private.

The signing path is entirely between your fleet agents and the connector, over whatever network you put them on. The control plane is never in that path — it never sees a CSR, a certificate, or a private key. Two separate secrets keep the boundaries clean:

  • An agent-facing API key that fleet agents present to the connector's own sign/revoke endpoints — never seen by the control plane after pairing.
  • A connector check-in secret the connector uses to report only its liveness and discovered template list back to aethercert — never certificate material.
Internal domains skip public DNS-TXT validation entirely — issue for names that never resolve on the public internet
The CA connector opens its own firewall rule and runs under a service account with Enroll + Issue-and-Manage rights
Bring your own TLS for the connector's listener from your internal PKI, or let it self-sign — agents authenticate every request regardless
Private and public certificates share one dashboard, one renewal schedule, and one searchable event log

Full setup: Certificate authorities, Installing the CA connector, Connect an internal/private CA.

Automate your PKI, keep your CA private.

Standard-plan and up. Pair a connector, point a certificate at it, and let renewals run themselves.