Setup
The first time you open sslbrain, you are greeted by a setup wizard that guides you through four steps: admin account, license, security and notifications, and backup key.
Setup Wizard
The wizard runs automatically the first time you open sslbrain. All four steps are required to complete the setup.
Step 1: Admin account
Create your admin account. sslbrain automatically registers the same account on sslbrain Cloud via quickRegister — no separate pairing or registration is needed. You use the same credentials to log in to both your local sslbrain and sslbrain Cloud.
| Field | Description |
|---|---|
| Your work email. Used to log in to both sslbrain and sslbrain Cloud. | |
| Password | sslbrain checks the strength and rejects weak passwords. |
| Display name | Optional. Used in emails sent from sslbrain. |
Important: Store the password in a safe place. If you later connect Active Directory, this admin account remains as a fallback login. If you lose the password and don't have AD configured, a recovery procedure is required.
Step 2: License
Choose your license tier. You can change this at any time in the sslbrain Cloud portal.
Community (free)
For small environments with up to 5 endpoints.
- Let's Encrypt and Google Trust Services
- Auto-DNS for automatic validation
- 1 user login
- 1 custom agent
Paid tiers
For organisations that need more endpoints, users, or commercial CAs.
- Unlimited endpoints (varies by tier)
- Multiple users and agents
- Commercial CAs (DigiCert, Sectigo, GlobalSign)
- Priority support
Tip: Start with Community and upgrade later. The license can be changed at any time from the sslbrain Cloud portal without reinstalling.
Step 3: Security and notifications
Configure two important security settings. Both can be changed later under Settings.
| Setting | Description |
|---|---|
| IP whitelist | Restrict admin access to specific IP addresses. Only whitelisted IPs can reach the web interface. |
| Alert email | Receive notifications for certificate expiry, servers going offline, and renewal failures. |
Recommendation: At minimum, enter an email address. You want to know immediately if an automatic renewal fails or a server goes offline.
Step 4: Backup key
sslbrain generates a backup key and displays it on screen. This is the only time the key is shown.
Format
XXXX-XXXX-XXXX-XXXX
16 characters, human-readable. Avoids confusable characters like 0/O and 1/I.
Shown once
Copy it now. You can generate a new one later under Settings > Encryption, but the old key becomes invalid.
Disaster recovery
You need both the backup key and a file backup of /data to restore.
Important: Store the backup key safely: in a password manager (1Password, Bitwarden, KeePass) or printed and placed in a safe. Do NOT store it on the same server as sslbrain — you would lose both at the same time.
sslbrain Cloud
sslbrain Cloud is the central service that supports your local sslbrain installation. It is included in all licenses at no extra cost. The Cloud connection is established automatically during setup when sslbrain creates your account via quickRegister.
What Cloud handles
| Feature | Description |
|---|---|
| License validation | Provides your signed license including enabled features |
| Vault unlock (rotating) | Stores and rotates the encrypted Key Encryption Key for automatic unsealing |
| Auto-DNS | Creates DNS records for ACME DNS-01 validation, so neither sslbrain nor your server needs access to your DNS zone |
| ACME server | Built-in ACME server that issues certificates via backend CAs (Let's Encrypt, Google, etc.) |
| Agent updates | Distributes new agent versions to your Windows and Linux agents |
What Cloud does NOT have access to
Never leaves your server
- Private certificate keys
- Certificates (except those issued through its ACME server)
- Server credentials
- Vault contents
Cloud sees only metadata
- Used license features
- Certificate expiry dates
- License status
All cryptographic material remains on your local server. Cloud staff do not have access to your encryption keys.
Pairing
Pairing codes are used to reconnect an existing sslbrain installation to Cloud. They are not part of the initial setup — that connection is created automatically via quickRegister when you create your admin account.
When you need a pairing code
- After reinstalling sslbrain and restoring from backup
- If the Cloud connection is lost and cannot recover automatically
- When migrating sslbrain to a new server
How pairing works
| Detail | Value |
|---|---|
| Format | XXXX-XXXX |
| Length | 8 characters (4-4 format with dash) |
| Validity | 15 minutes |
| Generate new | Settings page, if the current code has expired |
To reconnect:
- Open sslbrain's Settings page and generate a pairing code
- Log in to sslbrain.com/cloud/ with your sslbrain account
- Click Pair instance and enter the code
- sslbrain confirms the connection within a few seconds
Requirement: sslbrain must have internet access to cloud.sslbrain.com (port 443) during pairing and for ongoing operation.
Backup Key
The backup key is created during step 4 of the setup wizard. It is your offline key for disaster recovery.
What the backup key does
The backup key unlocks the encrypted vault when restoring from a backup. To restore a sslbrain installation, you need both:
1. File backup of /data
Contains the database, vault files, agents, and configuration. Without it, there is nothing to restore.
2. Backup key
Unlocks the encrypted vault in the backup. Without it, private keys and credentials are inaccessible.
Tip: If you use automatic unsealing, sslbrain Cloud can also unseal the vault from a backup. The backup key is your offline fallback — it works regardless of Cloud connectivity.
How to store the backup key
| Method | Notes |
|---|---|
| Password manager | 1Password, Bitwarden, KeePass — the recommended option for most teams |
| Printed copy | Place in a safe or security box. Good as a secondary backup |
| NOT on the same server | If the server fails, you lose both the data and the key at the same time |
Note: The backup key is shown only once during setup. You can generate a new one under Settings > Encryption, but the old key becomes invalid immediately.
First Login
After completing the setup wizard, you log in with the admin account you created in step 1. You land on the dashboard.
Dashboard overview
The dashboard gives an overview of your entire certificate infrastructure:
| Section | Shows |
|---|---|
| Certificates | All active certificates with expiry dates. Colour codes: green (OK), yellow (expires within 30 days), red (expired) |
| Servers | Connected servers and their status (online/offline). Click to see certificates and configuration |
| Activity | Recent actions: issued certificates, renewals, errors. Useful for troubleshooting |
| Alerts | Certificates that need attention — renewal failed, server offline, approaching expiry |
Navigation
| Page | Purpose |
|---|---|
| Certificates | Create, renew, revoke and manage certificates |
| Servers | Add and configure servers (SSH, WinRM, Agent) |
| CA accounts | Configure Certificate Authorities (Let's Encrypt, DigiCert, Sectigo, etc.) |
| Downloads | Download Windows Agent, Linux Agent and CLI tools |
| Settings | Users, AD, encryption, Cloud, notifications, updates |
After Setup
Review and configure these settings before you start issuing certificates.
1. Active Directory / LDAP
Under Settings > Identity: connect sslbrain to your AD/LDAP server so users can log in with their domain credentials.
| Setting | Example |
|---|---|
| Server | ldaps://dc01.example.com:636 |
| Base DN | DC=example,DC=com |
| Bind user | A service account with read permissions |
| Group mapping | Choose which AD groups grant access to sslbrain |
Tip: The admin account created during setup remains as a fallback login, even when AD is connected.
2. Vault and encryption mode
Under Settings > Encryption: sslbrain encrypts all private keys and credentials in a vault. You can choose how the vault is unsealed on restart.
Automatic unsealing (recommended)
The vault opens automatically when sslbrain starts. The unseal key is stored encrypted in sslbrain Cloud and delivered only to your registered instance.
Choose this if:
- You want a fully automatic installation
- The server can restart without human intervention
- You trust sslbrain Cloud's infrastructure (the key is encrypted, sslbrain staff do not have access)
Manual unsealing
You receive an unseal key that you store yourself. After each restart, an administrator must enter the key before the vault opens and certificate operations resume.
Choose this if:
- Compliance requires that no third party has access to encryption keys
- You have a procedure to respond to restarts within a short time
- You operate in an air-gapped or high-security environment
3. Notifications
Under Settings > Notifications: configure email or webhook for alerts. sslbrain can notify you when:
- A certificate could not be renewed
- A server is offline
- A certificate expires within X days (configurable)
Recommendation: At minimum, set up an email address so you are notified if an automatic renewal fails.
4. CA accounts
Let's Encrypt and Google Trust Services are automatically connected and available for free. They can be disabled under CA accounts if you do not want to use them.
Commercial certificates (DigiCert, Sectigo, GlobalSign) require license units that can be purchased and added under CA accounts on paid licenses.
5. DNS validation
Recommendation: We strongly recommend Auto-DNS. It makes certificate issuance and renewal fully automatic, and does not require sslbrain or your servers to have access to your DNS zone.
Under Settings > DNS: choose your validation method.
| Method | How it works | Automatic renewal |
|---|---|---|
| sslbrain Auto-DNS | sslbrain Cloud handles DNS records via a CNAME setup. All licences. | Yes |
| HTTP-01 / DNS API / TLS-ALPN | Validate via HTTP file, your DNS provider's API or TLS-ALPN. Paid licences only. | Yes |
Auto-DNS only requires you to create one CNAME record per domain:
_acme-challenge.example.com CNAME example.com.acme.sslbrain.cloud.sslbrain guides you through the setup for your specific DNS provider.
Community users: The Community licence can only use Auto-DNS via sslbrain Cloud. HTTP-01, DNS API and TLS-ALPN validation require a paid licence. Validation failures can rate-limit ACME accounts and affect other users. Community users can still connect directly to Let's Encrypt or other CAs outside sslbrain Cloud.
6. Backup schedule
Under Settings > Backup: sslbrain automatically takes a daily backup of the database and vault.
| Setting | Default | Description |
|---|---|---|
| Time | 02:00 | When the daily backup runs |
| Retention | 7 days | How many backups to keep. Older backups are deleted automatically |
| External storage | Off | Copy backups to NAS, S3, or similar so you have them if the server fails |
7. TLS certificate for the web interface
sslbrain uses a self-signed certificate at installation. Under Settings > TLS you can issue a real certificate for sslbrain's own web interface — either from Let's Encrypt or an internal CA. This eliminates browser warnings.