Certificates

Certificate Wizard

Click New certificate to start the wizard. It guides you through five steps. Most certificates can be created by accepting the defaults and only specifying the domain name.

Step 1: Choose source (CA)

Choose which Certificate Authority (CA) should issue the certificate.

Source Description
sslbrain ACME Cloud Default. sslbrain Cloud acts as an ACME server and selects the best CA automatically. Supports DNS-01 validation without you having to configure a DNS API.
Let's Encrypt Direct connection to Let's Encrypt. Free DV certificates with 90-day lifetime.
Google Trust Services Google's free ACME CA. Alternative to Let's Encrypt with 90-day certificates.
Custom ACME Specify any ACME server URL. Used for internal CAs (e.g. Smallstep, ADCS with ACME) or other public CAs.

Tip: For most users, sslbrain ACME Cloud is the right choice, it handles DNS validation automatically and works with all domains.

Step 2: Choose domain

Specify the domain name the certificate should cover.

  • Single domain: e.g. www.example.com. Covers exactly that one hostname.
  • Wildcard: e.g. *.example.com. Covers all subdomains one level down (i.e. www.example.com, mail.example.com, app.example.com etc., but not sub.sub.example.com).
  • Multiple domains (SAN): add extra domains with the + Add domain button. All domains end up on the same certificate.

If the server has already been added and sslbrain has run a scan, the discovered domains are shown as suggestions. Click a suggestion to select it.

Step 3: Choose validation

The validation method determines how the CA confirms that you own the domain.

Auto-DNS (recommended)

sslbrain creates and removes DNS records automatically via sslbrain Cloud. You only need to set up a CNAME delegation once (see the Auto-DNS section below). Works with all domains and supports wildcard.

HTTP-01

sslbrain places a file on the web server that the CA retrieves via HTTP. Requires port 80 to be open and the web server to respond on the domain. Does not work with wildcard certificates.

DNS-01 (manual)

sslbrain shows the TXT record you need to create in your DNS. You create the record manually and click Confirm. Only used if Auto-DNS is not possible and HTTP-01 is not an option.

Tip: For most users, Auto-DNS is the right choice. It requires a one-time setup per domain, but after that everything is automatic, including renewals.

Community licence: Community users can only use Auto-DNS via sslbrain Cloud. HTTP-01, DNS API and TLS-ALPN require a paid licence. Validation failures can rate-limit ACME accounts and affect other users. Community users can still connect directly to Let's Encrypt or other CAs outside sslbrain Cloud.

Step 4: Installation

sslbrain fetches the certificate via its internal ACME client and installs it on the server over SSH, WinRM or API. Servers and appliances do not need to talk to a CA themselves.

Step 5: Choose endpoints

Select which services the certificate should be installed on. sslbrain shows the services that were found during scanning.

Example: you create a certificate for mail.example.com and see these services on your Exchange server:

  • Exchange OWA (port 443)
  • Exchange SMTP (port 25/587)
  • Exchange IMAP (port 993)
  • RDP (port 3389)

Select the services that should use the certificate. You can always add or remove endpoints later.

Click Issue to start the process. sslbrain validates the domain, fetches the certificate and installs it on the selected endpoints.

Auto-DNS

Auto-DNS is sslbrain's automatic DNS validation. You delegate DNS validation for your domain to sslbrain Cloud by creating a CNAME record. After that, sslbrain handles everything itself, at issuance and at every renewal.

Setup (once per domain)

  1. Go to Domains and click on your domain (or add it)
  2. sslbrain shows the CNAME record you need to create:
DNS 
_acme-challenge.example.com  CNAME  example.com.acme.sslbrain.cloud.
  1. Create the CNAME record at your DNS provider
  2. Click Confirm delegation: sslbrain checks that the record is set up correctly

Once the delegation is in place, sslbrain can create and delete the TXT records that the CA requires during validation. You don't need to give sslbrain access to your DNS zone, only the one CNAME record.

Wildcard and SAN

Auto-DNS supports both wildcard and SAN certificates. Each domain on the certificate must have its own CNAME delegation. For a wildcard certificate for *.example.com, it is the same CNAME as for example.com:

DNS 
_acme-challenge.example.com  CNAME  example.com.acme.sslbrain.cloud.

For a SAN certificate with www.example.com and api.example.com, both domains need a delegation:

DNS 
_acme-challenge.www.example.com  CNAME  www.example.com.acme.sslbrain.cloud.
_acme-challenge.api.example.com  CNAME  api.example.com.acme.sslbrain.cloud.

Wildcard Certificates

A wildcard certificate covers all subdomains one level below a domain. *.example.com covers www.example.com, mail.example.com, app.example.com and all other subdomains, but not example.com itself and not sub.sub.example.com.

If you also need to cover example.com itself (the apex domain), add it as an extra SAN name in step 2 of the wizard.

Important: Wildcard certificates require DNS-01 validation. HTTP-01 cannot be used for wildcards. With Auto-DNS, this is handled automatically.

When wildcard makes sense

  • You have many subdomains that change frequently
  • You want to avoid creating a new certificate for each subdomain
  • You have services that dynamically create subdomains (e.g. customer portals, staging environments)

When single-domain is better

  • You have few, fixed domains, one certificate per domain is simpler to manage
  • You want separate certificate management per service
  • Compliance requirements that demand isolated certificates

SAN Certificates

A SAN certificate (Subject Alternative Name) covers multiple specific domains on the same certificate. Typically used to group related domains:

  • example.com + www.example.com
  • mail.example.com + autodiscover.example.com
  • example.dk + example.se + example.no

Add extra domains in step 2 of the wizard with + Add domain. Each domain must be validated individually, with Auto-DNS this happens automatically.

Tip: There is no practical limit on the number of SAN names with Let's Encrypt and Google Trust Services (up to 100). Commercial CAs typically have a limit that depends on the product.

Automatic Renewal

sslbrain renews certificates automatically. Renewal timing is determined by the CA's recommendation (ARI) or when 75% of the certificate's lifetime has elapsed, with a hard floor of 7 days before expiry as a safety net. No configuration is needed.

The renewal process

Step Description
1sslbrain checks daily whether a certificate is approaching expiry
2Renewal starts based on CA recommendation (ARI) or at 75% of lifetime
3The domain is validated again (with Auto-DNS this is automatic)
4The new certificate is fetched from the CA
5The certificate is installed on the same endpoints as the old one
6The old certificate is replaced

You can see the renewal history under the certificate's History tab.

If renewal fails

sslbrain retries daily. If renewal fails three times in a row, sslbrain sends a notification (email or webhook, depending on your configuration). Typical causes:

Typical failure causes:

  • DNS delegation has been removed or changed
  • The server is unreachable (network, credentials changed)
  • The CA has a temporary outage

The error and cause are shown in the certificate's log file.

Commercial Certificates

In addition to free ACME certificates, sslbrain can issue commercial certificates from well-known CAs such as DigiCert, Sectigo, GlobalSign and Certum.

Unit-based pricing

Commercial certificates are billed per unit (company, department or customer, depending on your agreement). The number of certificates per unit is unlimited. It is the unit, not the certificate, that has a price.

Automatic CA selection

When you create a commercial certificate, you can let sslbrain choose the cheapest CA that meets your requirements. Specify the certificate type (DV, OV or EV) and any preferences (e.g. wildcard, SAN count), and sslbrain finds the best offer.

You can also choose a specific CA if you have preferences or compliance requirements.

Validation types

Type Requirements Time
DV (Domain Validation) Domain ownership Minutes
OV (Organization Validation) Domain + company details 1-3 days
EV (Extended Validation) Domain + company + legal verification 3-7 days

DV certificates are issued automatically. OV and EV require the CA to verify your organisation, sslbrain guides you through the necessary steps and tracks validation status.

Manual upload

For devices and services that do not support ACME, you can upload certificates manually to sslbrain. sslbrain tracks the expiry date and warns you before the certificate expires.

Supported formats

PEM

Base64-encoded, typically with .pem or .crt extension. The most common format on Linux.

DER

Binary format, typically with .der or .cer extension.

PFX / PKCS#12

Certificate and private key in a single file, typically with .pfx or .p12 extension. Standard on Windows.

Upload process

  1. Click Certificates > Upload
  2. Select the file (or drag it into the upload area)
  3. If it is a PFX file, enter the password
  4. sslbrain reads the file and shows the certificate details (domain, CA, expiry date, chain)
  5. Assign the certificate to a server and service (optional)
  6. Click Save

Note: Uploaded certificates are not renewed automatically. sslbrain sends a reminder before expiry so you can order and upload a new one.