Dashboard reference
This page documents every screen in the dashboard and every setting on it. The left sidebar in the app groups screens into View, Build, Manage, Monitor, and Settings — this reference follows the same order. Availability of some settings depends on your plan; those are flagged inline.
View
The read-only overview of your fleet. View > Certificates lists every certificate sorted by expiry; clicking one opens a detail sheet. View > Agents lists connection health.
Certificate detail sheet
Opening a certificate shows its full record and per-certificate actions:
| Setting | Values | What it does |
|---|---|---|
| Status | Issued · Deployed · Renewing · Failed · Revoked | Where the certificate is in its lifecycle. A failed job surfaces its error inline, in plain language. |
| Common name & SANs | The identities the certificate covers. | |
| Authority / Target / Key type | Which CA issued it, which agent or group serves it, and the private-key algorithm. | |
| Serial · Fingerprint · Validity | The issued certificate's serial number, SHA-256 fingerprint, and not-before/not-after window — reported by the agent, never the key itself. | |
| Renew now | action | Queues an immediate renewal job for the certificate's current target. |
| Revoke | action | Queues a revoke job that calls the CA's real revoke operation (ACME or internal REST), not just a local status flip. |
| Edit | action | Opens the edit dialog; saving reissues with the new configuration (see Manage › Jobs). |
Build — the Certificate Job
Build > Certificate Job is the main form: it ties a common name, an authority, a deploy target, and a schedule together and queues the issue job. A visual equivalent lives at Build > Certificate Job (Flow), a node-based builder for the same underlying job.
Certificate section
| Setting | Values | What it does |
|---|---|---|
| Domain | optional | Pick a verified domain to enable DNS-01 and enter hostnames as just the subdomain label — the domain is appended automatically, so you can't produce a hostname DNS-01 can't cover. Leave empty for HTTP-01 or internal CAs. |
| Certificate authority | Which CA issues this certificate. On the Free plan only Let's Encrypt is selectable; internal domains require an Internal CA (REST). | |
| Certificate template | internal_rest only | Shown when the selected CA is a paired connector. Chooses the AD CS template; leave as “Connector default” to use the one it was installed with. Inline hints warn about client-auth or subject-from-AD templates. |
| Common name | The primary hostname. With a domain selected, enter only the label (e.g. app) and the domain is appended. | |
| Subject alternative names | 0..n | Additional hostnames on the same certificate. Add or remove rows freely. |
Target section
| Setting | Values | What it does |
|---|---|---|
| Target | Single agent · Agent group | Issue to one server, or fan out to every current member of a group. Agent groups require the Standard plan. |
| Agent / Agent group | Which agent (or group) receives the issue job. A group re-resolves to its current membership on every renewal. |
Renewal section
| Setting | Values | What it does |
|---|---|---|
| Auto-renew | toggledefault on | When on, the control plane queues a renewal job automatically before expiry. |
| Renew this many days before expiry | daysdefault 30 | How far ahead of not-after a renewal is triggered. |
| Private key type | EC-256 · EC-384 · RSA-2048 · RSA-4096default EC-256 | Algorithm generated for each issuance (under Advanced options). Free plan is limited to EC-256; some AD CS templates enforce a minimum RSA size. |
Build — Deploy target settings
The deploy target tells the agent what to do with the certificate once issued. Pick a Deploy target OS (Linux, Windows, Third-party) and then a preset. The fields below appear per preset. See Deploy targets for behavioural detail.
Linux — NGINX / Apache / Custom
All three write files and run a reload command; only the default reload command differs.
| Setting | Values | What it does |
|---|---|---|
| Certificate path | required | Where the leaf certificate (PEM) is written, e.g. /etc/ssl/certs/app.pem. |
| Key path | required | Where the private key (PEM) is written, e.g. /etc/ssl/private/app.key. |
| Chain path | optional | Where the issuer chain is written, if your server wants it separately. |
| Reload command | optional | Run after the files land. Pre-filled to systemctl reload nginx / apache2 for those presets; blank for Custom. |
| HTTP-01 webroot | optional | Set to serve HTTP-01 challenges from an existing web root (e.g. /var/www/html) instead of binding port 80. Skip when using DNS-01. |
Windows — Certificate store / IIS
| Setting | Values | What it does |
|---|---|---|
| Store location | default LocalMachine | Certificate store location (LocalMachine or CurrentUser). |
| Store name | default My | Certificate store name to import into. |
| IIS site name | IIS preset only | The IIS site whose HTTPS binding is created/updated (e.g. Default Web Site). |
| IIS binding host / port | optional | Host header and port for the binding (port defaults to 443). IIS binding requires the Standard plan. |
| Allow private key export | toggledefault off | Whether Import-PfxCertificate marks the key exportable. Requires the Standard plan. |
Windows — Exchange
| Setting | Values | What it does |
|---|---|---|
| Services to enable | IIS · SMTP · POP · IMAP | Which Exchange services the certificate is enabled for via Import-ExchangeCertificate. Assumes the agent runs on the Exchange server with the Management Shell present. |
| Allow private key export | toggledefault off | Marks the imported key exportable. Requires the Standard plan. |
Windows — ADFS
| Setting | Values | What it does |
|---|---|---|
| Certificate usage | Service communications · Token signing · Token decryptingdefault Service communications | How the certificate is assigned in ADFS. Assumes the agent runs on the ADFS server with the ADFS PowerShell module present. |
| Allow private key export | toggledefault off | Marks the imported key exportable. Requires the Standard plan. |
Third-party — Citrix NetScaler (Nitro API)
| Setting | Values | What it does |
|---|---|---|
| Management URL | required | The NetScaler/ADC management endpoint, e.g. https://ns.example.com. Works from an agent on either OS — it's a pure HTTPS call. |
| Username | required | Nitro API user. |
| Password | required | Stored encrypted in Supabase Vault, never returned to the browser. When editing, leave blank to keep the current one. |
| Cert key name | required | Name of the sslcertkey object created/updated on the appliance. |
| Allow self-signed TLS on the management API | toggledefault off | Skip TLS verification of the management endpoint. It uploads cert+key and creates/updates the sslcertkey but does not bind it to a vserver — do that in NetScaler. |
Manage
The Manage screens are where the things a certificate job needs get created and edited.
Manage > Agents
Create an enrollment token (see Installing the agent) and manage enrolled agents. Editing an agent exposes:
| Setting | Values | What it does |
|---|---|---|
| Name | Display name for the agent. | |
| Check-in interval | 10–3600 secondsdefault 300 | How often the agent checks in when idle. It still checks in sooner on its own whenever there's a queued job or an update. Leave empty for the default. |
| Group | none · a group | Assign the agent to an agent group (an agent belongs to at most one). |
| Revoke | action | Immediately stops the agent from authenticating. Irreversible from the agent's side — it must be re-enrolled. |
| Delete | action | Removes the agent record. Blocked if certificates still target it — reassign or delete those first. |
Manage > Agent Groups
Create and rename groups. A certificate targeting a group issues one job per current member. See Agent groups.
| Setting | Values | What it does |
|---|---|---|
| Name | Group name. Requires the Standard plan to create or target. | |
| Members | Managed from each agent's Group setting. Membership is re-evaluated on every renewal, so adding/removing an agent changes future rollouts automatically. |
Manage > Domains
Add domains, verify ownership, and connect a DNS provider for DNS-01. See Domains & DNS-01.
| Setting | Values | What it does |
|---|---|---|
| Domain name | The apex or delegated domain you'll issue for. | |
| Internal domain | toggledefault off | Marks a domain that isn't publicly resolvable. It skips DNS-TXT verification and requires an Internal CA (REST) — ACME challenges aren't available for internal-only names. |
| Ownership verification | TXT record | A one-time _aethercert-challenge TXT record proves control; verified with the Verify button. |
| DNS provider | Cloudflare · Route 53 · DigitalOcean · Hetzner | Connect provider credentials so DNS-01 challenges are solved automatically. Credentials are tested before saving and stored write-only in Supabase Vault. |
DNS provider credential fields
Manage > Certificate Authorities
Add the CAs certificates can be issued from. See Certificate authorities.
| Setting | Values | What it does |
|---|---|---|
| Name | Display name for the CA. | |
| Type | ACME CA (public or internal) · Internal CA (REST) | ACME covers Let's Encrypt, other public CAs, and self-hosted ACME servers; Internal REST is for a generic signing endpoint or an AD CS connector. |
| Provider (ACME) | preset list | Pre-fills the directory URL and whether EAB is required for Google Trust Services, ZeroSSL, SSL.com, Actalis, Let's Encrypt staging, or a custom server. |
| ACME directory URL | The CA's ACME directory endpoint. | |
| EAB key ID / HMAC key | required for most public CAs | External Account Binding credentials generated in the CA's own dashboard; needed before registration is accepted. |
| Internal REST: Base URL / Signing path / API key | Where CSRs are POSTed (default path /sign) and the bearer key to authenticate. Or tick “provision via a CA connector” to have these filled in on pairing. | |
| Allow self-signed TLS | toggledefault off | Skip TLS verification when calling an internal REST CA over a self-signed endpoint. |
Manage > CA Connectors
For an Internal CA (REST), the Connector panel mints a one-time pairing token for the Windows CA connector and shows its liveness and discovered templates once paired. The connector install is covered in Installing the agent.
Manage > Jobs
The full job history, with per-job and per-certificate actions:
| Setting | Values | What it does |
|---|---|---|
| Edit certificate | action | Opens the full edit dialog (all fields above). Saving reissues the certificate with the new configuration. |
| Cancel | queued jobs | Cancels a job that hasn't started yet. |
| Retry | failed jobs | Requeues a failed job (attempts reset). Jobs auto-retry up to 3 times before being marked failed. |
| Delete | action | Removes a job from the history. |
Monitor — Event Log
Monitor > Event Log records every issuance, renewal, deploy, and administrative action with its outcome, searchable for incident review. Retention is 7 days on Free and 1 year on paid plans.
certificate.issuedapp.example.com issued (EC-256, 90 days)2m agojob.succeededdeploy job succeeded on web-012m agocertificate.renewed*.internal.corp renewed via Corp Issuing CA1h agojob.retry_scheduledvpn.example.com deploy failed, retrying (2/3)3h agoSettings
Settings > Account
| Setting | Values | What it does |
|---|---|---|
| Display name | Your name as shown in the app. | |
| Marketing consent | toggle | Opt in/out of product emails; the timestamp of your choice is recorded. |
| Export my data | action | Downloads your personal profile and organization memberships as JSON (GDPR Art. 20). Rate-limited to once per hour. |
| Delete account | action | Erases your account and any organization you solely own (GDPR Art. 17). Requires a completed second factor (MFA), and is blocked if it would strand other members or MSP customer workspaces — promote another owner first. |
MFA is mandatory
Settings > Organization
| Setting | Values | What it does |
|---|---|---|
| Organization profile | owner only | Name, contact name, address, email, and phone. The plan is not editable here — it changes only through billing. |
| Active organization switcher | MSP owners switch between their own workspace and each customer workspace from the sidebar; the choice is remembered per session. |
Settings > Organization > Billing
| Setting | Values | What it does |
|---|---|---|
| Plan | Free · Standard · MSP | Free (1 cert, 1 agent, Let's Encrypt only), Standard (unlimited, all CAs/targets/keys, agent groups), MSP (Standard for you plus customer workspaces). Owner only. |
| Customer slots | MSP only | Number of customer workspaces beyond the included 5, billed as an add-on per extra customer. Managed via Stripe checkout / billing portal. |
| Billing portal | action | Opens Stripe's customer portal to manage payment method, invoices, and cancellation. |
Settings > Organization > Members
| Setting | Values | What it does |
|---|---|---|
| Invite by email | owner only | Sends a single-use invite link (also shown in-app as a fallback). Role is chosen at invite time. |
| Role | Owner · Member | Owners manage billing, members, customer orgs, and profile; members operate certificates and agents. The last owner can't be demoted or removed. |
| Remove member / revoke invite | action | Instantly removes access — no shared secret to rotate. |
Plans gate settings, not screens