Connect an internal or private CA

Use this for certificates that only need to be trusted inside your own organization - internal services, admin panels, service-to-service traffic - where a publicly-trusted certificate would be overkill and a private CA avoids public rate limits and certificate transparency logs entirely. aethercert supports two shapes of internal CA: one that speaks ACME, and one that exposes a simple signing REST endpoint.

Option A: your CA speaks ACME

If you run step-ca, an internal PKI product, or anything else that implements the ACME protocol, this is the simpler path.

  1. Go to Manage > Certificate Authorities and click Add certificate authority.
  2. Set Type to ACME CA (public or internal).
  3. Set Provider to Custom / self-hosted ACME server.
  4. Enter your CA's ACME directory URL, e.g. https://ca.internal.example/acme/directory.
  5. Fill in EAB key ID / EAB HMAC key only if your internal CA requires External Account Binding - most private CAs don't.
  6. Name it and save.

Option B: your CA exposes a signing REST API

For a CA that doesn't speak ACME but has a simple HTTP endpoint that accepts a CSR and returns a signed certificate:

  1. Go to Manage > Certificate Authorities and click Add certificate authority.
  2. Set Type to Internal CA (REST).
  3. Enter the Base URL (e.g. https://ca.internal.example) and the Signing path (defaults to /sign).
  4. Enter an API key if your endpoint requires one.
  5. Check Allow self-signed TLS on this CA only if the endpoint itself is served with a certificate your browser wouldn't trust either - leave it unchecked otherwise.
  6. Name it and save.

Using it

Either way, the CA then appears in the Certificate authority dropdown under Build > Certificate Jobs. If you also select a domain there, note that domain selection has no effect for Internal CA (REST) entries - that CA type doesn't use ACME challenges at all, so DNS-01/ HTTP-01 don't apply.