Concepts
The handful of nouns CertAutoPilot operates on — organization, project, ACME account, zone, certificate, distribution target — and how they fit together.
01Organization
The top-level tenant. A CertAutoPilot deployment hosts exactly one organization. The first user to complete setup becomes the owner; ownership is transferable but cannot be deleted.
The organization owns billing-shaped concerns even on self-hosted: licence key, audit retention policy, KEK material, syslog forwarder, and the global RBAC role set.
02Project
An isolated namespace inside the organization. Almost every other object — ACME accounts, DNS credentials, certificates, distribution targets, jobs — belongs to exactly one project. Members are granted roles per project.
Use projects to isolate environments (production, staging) or business units (retail, internal-tools). Cross-project references are not allowed; if you need to reuse a credential, create one per project.
03Roles & RBAC
Four roles, hierarchical. A higher role inherits everything the lower can do.
| Role | Scope | Can do |
|---|---|---|
owner | org | Everything. Manage members, projects, KEK, licence. |
admin | project | Manage all project objects. Approve any request. |
operator | project | Issue, renew, distribute. Subject to approval policy. |
viewer | project | Read-only. |
04ACME accounts & CA providers
An ACME account is a registration with a public CA — Let's Encrypt, Google Trust Services, ZeroSSL, Sectigo, SSL.com, GoDaddy, Actalis, GlobalSign, DigiCert. The account holds the EAB binding (if required) and the account key.
For Microsoft AD CS, you instead create a CES/CEP profile or WSTEP profile. These are project-level too.
05DNS credentials & zones
A DNS credential is provider-specific authentication (API token, service account JSON, Cloudflare account-id+token, etc.). A zone binds a DNS apex (e.g. example.com) to a credential — that's how CertAutoPilot decides which token to use when publishing a DNS-01 challenge.
06Certificate
The first-class object. A certificate has a CN, optional SANs, key type, issuer (an ACME account or AD CS profile), policy, renewal window, and an optional list of distribution targets. It also has a timeline — the immutable, HMAC-chained event log of everything that has ever happened to it.
07Distribution target
A destination + credential pair: SSH host, K8s namespace, F5 partition, Vault PKI mount, Webhook URL, NetScaler appliance, IIS server, etc. Targets are reusable across many certificates.
08Job
Anything asynchronous — issue, renew, distribute, scan, validate — runs as a job on the worker. Jobs are queued in MongoDB, retried with exponential backoff, and exposed in the UI under Jobs with structured logs and timing data.