Your own CA, automated the same way.
Not every certificate should come from a public authority. aethercert brings the same hands-off issuance and renewal to your private PKI — a self-hosted ACME server, a REST signing endpoint, or Active Directory Certificate Services through a lightweight connector — without your CA ever touching the public internet.
Your internal network
aethercert agent
web-01
CA connector
adcs-01
AD CS
your private CA
CSR signing is direct, agent → connector → CA. It never leaves your network.
aethercert control plane
schedules & tracks
Two ways to connect a private CA
Point aethercert at any ACME-speaking internal CA (step-ca, EJBCA, smallstep, your own Boulder) as an internal ACME authority, or at a plain HTTP sign/revoke endpoint as an internal REST authority. Either way, issuance and renewal are automated exactly like a public CA.
A connector purpose-built for AD CS
For Active Directory Certificate Services, install the CA connector on the CA host. It discovers your certificate templates, signs CSRs with certreq/certutil against the CA on that machine, and answers your fleet agents directly — no ACME shim, no re-platforming your PKI.
Template-aware issuance
Pick the AD CS template per certificate. The dashboard surfaces the templates the connector discovered, and warns inline when a template is for client authentication, builds its subject from Active Directory, or enforces a minimum key size.
Built so private stays private.
The signing path is entirely between your fleet agents and the connector, over whatever network you put them on. The control plane is never in that path — it never sees a CSR, a certificate, or a private key. Two separate secrets keep the boundaries clean:
- An agent-facing API key that fleet agents present to the connector's own sign/revoke endpoints — never seen by the control plane after pairing.
- A connector check-in secret the connector uses to report only its liveness and discovered template list back to aethercert — never certificate material.
Full setup: Certificate authorities, Installing the CA connector, Connect an internal/private CA.
Automate your PKI, keep your CA private.
Standard-plan and up. Pair a connector, point a certificate at it, and let renewals run themselves.