Certificate authorities

A certificate authority (CA) entry tells aethercert where to request certificates from. Add one under Manage > Certificate Authorities, then pick it when creating a certificate.

Public ACME CAs

  • Let's Encrypt - Seeded on every account automatically - no directory URL or EAB key needed. Use its staging directory while testing to avoid production rate limits.
  • Google Trust Services - Requires an External Account Binding (EAB) key pair from Google Cloud Console > Certificate Manager > Public CA. Supports wildcards and up to 100 SANs per certificate.
  • ZeroSSL - Requires an EAB key pair from the ZeroSSL dashboard (Developer > ACME). Free tier caps at 100 certificates per account.
  • SSL.com - Requires an EAB key pair from the SSL.com account dashboard. RSA and ECC endpoints are separate CAs.
  • Actalis - Requires an EAB key pair issued by Actalis. Free certificates are limited to a single domain plus its www variant.

"Requires EAB" means the CA won't let an account register without an External Account Binding key ID and HMAC key, generated from that CA's own dashboard - aethercert can't generate these for you, since they're proof that you control an account there. Step-by-step walkthroughs: Google Trust Services, ZeroSSL, SSL.com, Actalis.

Internal / self-hosted ACME

Choose the Custom preset and point it at your own ACME-speaking CA's directory URL - step-ca, an internal PKI product, or anything else that implements the ACME protocol. Add an EAB key pair only if your internal CA requires one; most private CAs don't. See Connect an internal or private CA for the full walkthrough, including the REST-based option.

Choosing a CA per certificate

Public, publicly-trusted certificates (anything a browser or external client needs to trust) should use Let's Encrypt or another public CA. Certificates for internal-only services - where every client already trusts your private root - are a better fit for an internal CA, since they avoid public CA rate limits and CT-log exposure entirely.