Every public certificate, issued and renewed for you.
aethercert speaks ACME natively, so any publicly-trusted authority with an ACME endpoint just works — Let's Encrypt with zero configuration, and Google Trust Services, ZeroSSL, SSL.com or Actalis a minute away. It issues, validates, deploys, and renews without anyone touching a command line.
aethercert
control plane
Let's Encrypt
ACME authority
web-01
aethercert agent
app.example.com
nginx :443
Job dispatched to the agent
issue app.example.comLet's Encrypt, out of the box.
A Let's Encrypt authority is seeded on every account and pinned to the production directory — nothing to paste, nothing to register. Free, publicly-trusted, 90-day certificates whose short lifetime is exactly what automatic renewal is for.
- No directory URL or account key to manage
- Publicly trusted by every mainstream browser and OS
- Staging directory available for dry runs with no rate limits
Bring your preferred public CA.
Need a specific issuer for compliance, warranty, or organization validation? aethercert connects to any ACME-compatible CA. Public CAs that require an External Account Binding are supported with a key-ID + HMAC pair you generate in that CA's own console, and common providers ship as presets with their directory URL pre-filled.
- EAB (External Account Binding) for Google Trust Services, ZeroSSL, SSL.com, Actalis
- Directory-URL presets, or a custom URL for anything else
- Production and staging endpoints per provider
Domain validation, solved for you.
The agent proves control automatically — no challenge files copied by hand. DNS-01 works with the major DNS providers and is the path for wildcards and hosts that aren't reachable over HTTP; HTTP-01 covers the rest.
- DNS-01 via Cloudflare, AWS Route 53, DigitalOcean, and Hetzner
- Wildcard (*.example.com) certificates via DNS-01
- HTTP-01 in webroot or standalone mode where DNS isn't wired up
Renewals that never lapse.
aethercert tracks every certificate's expiry and issues a renewal on the schedule you set — by default 30 days out. A fresh private key is generated for each issuance, and the full record (serial, fingerprint, validity window) is kept for you.
- Configurable renew-before window, per certificate
- A new key on every issuance — never reused, never uploaded
- Every attempt logged to a searchable event log
Supported public authorities
Anything that speaks ACME works. These ship as presets — the rest just needs a directory URL.
Let's Encrypt
Seeded by default · no EAB
Let's Encrypt (staging)
Untrusted test certs · no EAB
Google Trust Services
EAB from Google Cloud Console
ZeroSSL
EAB from the ZeroSSL dashboard
SSL.com (RSA & ECC)
EAB from the SSL.com account
Actalis
EAB issued by Actalis
Any self-hosted ACME server
Custom directory URL · EAB optional
Step-by-step guides: Google Trust Services, ZeroSSL, SSL.com, Actalis.
A public certificate that lands where it's served.
Obtaining the certificate is only half the job. The same agent installs it into the system that serves traffic — NGINX or Apache with a reload, the Windows Certificate Store and IIS, Exchange, ADFS, or a Citrix NetScaler load balancer via its API — so a renewal actually takes effect without a person in the loop. See deploy targets.
Start with one certificate, free.
No credit card. Issue a Let's Encrypt certificate today; add another CA when you need it.