Solutions · Public CAs & ACME

Every public certificate, issued and renewed for you.

aethercert speaks ACME natively, so any publicly-trusted authority with an ACME endpoint just works — Let's Encrypt with zero configuration, and Google Trust Services, ZeroSSL, SSL.com or Actalis a minute away. It issues, validates, deploys, and renews without anyone touching a command line.

01Zero config

Let's Encrypt, out of the box.

A Let's Encrypt authority is seeded on every account and pinned to the production directory — nothing to paste, nothing to register. Free, publicly-trusted, 90-day certificates whose short lifetime is exactly what automatic renewal is for.

  • No directory URL or account key to manage
  • Publicly trusted by every mainstream browser and OS
  • Staging directory available for dry runs with no rate limits
02Any ACME CA

Bring your preferred public CA.

Need a specific issuer for compliance, warranty, or organization validation? aethercert connects to any ACME-compatible CA. Public CAs that require an External Account Binding are supported with a key-ID + HMAC pair you generate in that CA's own console, and common providers ship as presets with their directory URL pre-filled.

  • EAB (External Account Binding) for Google Trust Services, ZeroSSL, SSL.com, Actalis
  • Directory-URL presets, or a custom URL for anything else
  • Production and staging endpoints per provider
03Validation

Domain validation, solved for you.

The agent proves control automatically — no challenge files copied by hand. DNS-01 works with the major DNS providers and is the path for wildcards and hosts that aren't reachable over HTTP; HTTP-01 covers the rest.

  • DNS-01 via Cloudflare, AWS Route 53, DigitalOcean, and Hetzner
  • Wildcard (*.example.com) certificates via DNS-01
  • HTTP-01 in webroot or standalone mode where DNS isn't wired up
04Renewal

Renewals that never lapse.

aethercert tracks every certificate's expiry and issues a renewal on the schedule you set — by default 30 days out. A fresh private key is generated for each issuance, and the full record (serial, fingerprint, validity window) is kept for you.

  • Configurable renew-before window, per certificate
  • A new key on every issuance — never reused, never uploaded
  • Every attempt logged to a searchable event log

Supported public authorities

Anything that speaks ACME works. These ship as presets — the rest just needs a directory URL.

Let's Encrypt

Seeded by default · no EAB

Let's Encrypt (staging)

Untrusted test certs · no EAB

Google Trust Services

EAB from Google Cloud Console

ZeroSSL

EAB from the ZeroSSL dashboard

SSL.com (RSA & ECC)

EAB from the SSL.com account

Actalis

EAB issued by Actalis

Any self-hosted ACME server

Custom directory URL · EAB optional

Step-by-step guides: Google Trust Services, ZeroSSL, SSL.com, Actalis.

Then deployed

A public certificate that lands where it's served.

Obtaining the certificate is only half the job. The same agent installs it into the system that serves traffic — NGINX or Apache with a reload, the Windows Certificate Store and IIS, Exchange, ADFS, or a Citrix NetScaler load balancer via its API — so a renewal actually takes effect without a person in the loop. See deploy targets.

Start with one certificate, free.

No credit card. Issue a Let's Encrypt certificate today; add another CA when you need it.