Settings
All settings are accessed via the gear icon in the top menu or Settings in the side menu.
General
| Setting | Description |
|---|---|
| Hostname | sslbrain server's FQDN. Used in agent registration and certificate links. |
| Timezone | Timezone for UI and log display. All internal timestamps are UTC regardless of this setting. |
Security
Users
Create, edit and delete local users. Each user is assigned a role: Admin, Operator or Viewer. See Security for role descriptions.
Password policy
Set minimum requirements for passwords: minimum length (default 12 characters) and requirements for uppercase/lowercase letters, numbers and special characters.
LDAP / Active Directory (Pro+)
Connect sslbrain to your Active Directory or LDAP server. Configure:
Server
LDAP server address (e.g. ldaps://dc01.example.com:636)
Base DN
Search base (e.g. DC=example,DC=com)
Bind user
A service user with read access to AD
Group filter
Map AD groups to sslbrain roles (e.g. SSLBrain-Admins → Admin)
Tip: Click Test connection to confirm the setup before saving.
Vault
| Setting | Description |
|---|---|
| Unseal mode | Switch between auto-unseal, manual password and HSM/YubiKey. See Security. |
| Change password | Changes the vault password. Requires the current password. |
| Export backup key | Downloads an encrypted backup key. Store it in a safe place outside sslbrain. Used for disaster recovery if you lose access to the vault. |
Note: Store the backup key in a safe place. Without it and your password, the vault cannot be recovered.
Notifications
sslbrain sends notifications on important events: certificate issued, renewal failed, server offline, vault sealed, etc.
Channels
| Channel | Setup |
|---|---|
| Default. Configure SMTP server, sender and recipients. | |
| Slack | Provide a Slack webhook URL. Messages are sent to the channel the webhook is configured for. |
| Webhook | Generic webhook. sslbrain sends a POST request with a JSON payload to your URL. |
| Telegram | Provide bot token and chat ID. |
Tip: Click Test next to each channel to send a test message and confirm the setup works. You can configure multiple channels simultaneously, e.g. email to the operations team and Slack to a monitoring channel.
ACME Accounts
Manage your ACME accounts with the various CAs:
Add account
Create a new ACME account with a CA (Let's Encrypt, Google Trust Services, etc.)
EAB credentials
Some CAs require External Account Binding. Enter Key ID and HMAC key here.
Remove account
Remove an ACME account from sslbrain. Certificates issued via the account are not affected.
sslbrain automatically creates a Let's Encrypt account on the first certificate issuance, if you don't already have one.
TLS certificate
sslbrain uses a self-signed certificate on first start. Replace it with your own:
Go to Settings > TLS certificate
Upload certificate and private key (PEM format)
sslbrain restarts automatically with the new certificate
Tip: Alternatively, you can let sslbrain issue a certificate for itself via Let's Encrypt. Click Issue via ACME and follow the guide. The certificate renews automatically.
License
Here you can see your license level and what it includes:
| Field | Description |
|---|---|
| Level | Community, Pro or Enterprise |
| Server limit | Maximum number of servers you can manage |
| Features | List of available features for your level |
| Expiry date | License expiry date (or "No expiry" for Community) |
Upgrade or renew the license directly from here. Changes take effect immediately.
Updates
| Setting | Description |
|---|---|
| Automatic updates | Enable or disable automatic updates. When enabled, sslbrain installs new versions automatically in a maintenance window (default: Sunday night). |
| Check now | Check if a new version is available and install it immediately. |
Tip: sslbrain automatically creates a backup before updating and rolls back if something fails. See Troubleshooting for details.
Network
| Setting | Description |
|---|---|
| Offline mode (Enterprise) | Disables all outbound connections to sslbrain Cloud. Useful in air-gapped environments. Requires manual license activation and local KEK management. |
| Proxy | Configure an HTTP proxy for outbound connections. |
| Outbound IP whitelist | Shows the IP addresses sslbrain connects to (Cloud servers and CAs). Use the list for firewall configuration. |