Connect an internal or private CA
Use this for certificates that only need to be trusted inside your own organization - internal services, admin panels, service-to-service traffic - where a publicly-trusted certificate would be overkill and a private CA avoids public rate limits and certificate transparency logs entirely. aethercert supports two shapes of internal CA: one that speaks ACME, and one that exposes a simple signing REST endpoint.
Option A: your CA speaks ACME
If you run step-ca, an internal PKI product, or anything else that implements the ACME protocol, this is the simpler path.
- Go to Manage > Certificate Authorities and click Add certificate authority.
- Set Type to ACME CA (public or internal).
- Set Provider to Custom / self-hosted ACME server.
- Enter your CA's ACME directory URL, e.g.
https://ca.internal.example/acme/directory. - Fill in EAB key ID / EAB HMAC key only if your internal CA requires External Account Binding - most private CAs don't.
- Name it and save.
Option B: your CA exposes a signing REST API
For a CA that doesn't speak ACME but has a simple HTTP endpoint that accepts a CSR and returns a signed certificate:
- Go to Manage > Certificate Authorities and click Add certificate authority.
- Set Type to Internal CA (REST).
- Enter the Base URL (e.g.
https://ca.internal.example) and the Signing path (defaults to/sign). - Enter an API key if your endpoint requires one.
- Check Allow self-signed TLS on this CA only if the endpoint itself is served with a certificate your browser wouldn't trust either - leave it unchecked otherwise.
- Name it and save.
Using it
Either way, the CA then appears in the Certificate authority dropdown under Build > Certificate Jobs. If you also select a domain there, note that domain selection has no effect for Internal CA (REST) entries - that CA type doesn't use ACME challenges at all, so DNS-01/ HTTP-01 don't apply.