CertAutoPilot logo CertAutoPilot
Get started

Manage wizard

Adopt a discovered certificate into full CertAutoPilot management. The wizard walks through issuer binding, renewal config, and (optionally) a distribution attachment — after which the previously-shadow cert becomes a managed record with all the lifecycle machinery behind it.

01What managed vs shadow means

  • Shadow (before): The cert exists in discovered_certificates. CertAutoPilot knows about it but doesn't renew, revoke, or distribute it.
  • Managed (after): A record is created in certificates with the chosen issuer. On its next scheduled renewal window, the scheduler takes over; revocation and distribution become first-class operations.

02Prerequisites

  • Operator role on the project.
  • An ACME account or MSCA connection that can issue replacement certs for the same identifiers.
  • Every identifier on the cert is covered by a registered zone.

03Run the wizard

  1. Discovery → Inventory → click the cert → Manage.
  2. Step 1 — Verify subject. The wizard shows the subject + SANs detected from the scan. Confirm — if you can't reissue with exactly these identifiers (e.g. an IP SAN your CA doesn't allow), abort and fix the source of truth first.
  3. Step 2 — Pick an issuer. Select an ACME account or MSCA connection + template. The form warns if the chosen issuer can't handle one of the identifiers (e.g. Let's Encrypt and internal-only names).
  4. Step 3 — Renewal policy. Enable auto-renew, choose a key type (defaults to matching what we observed — ECDSA if the discovered cert is ECDSA), set any name / description.
  5. Step 4 — Distributions (optional). Attach one or more distributions at creation time. Skippable; you can attach later.
  6. Step 5 — Review & confirm. The wizard previews the action list:
    • New managed cert record created.
    • Link maintained to the discovered record — drift detection stays active.
    • (Optional) immediate renewal to replace the observed cert with a CertAutoPilot-issued cert. Default: wait for the normal renewal window.
  7. Submit. The managed cert appears under Certificates.

04Immediate replacement vs lazy

  • Lazy (default): the discovered cert keeps serving until its next renewal window; CertAutoPilot then issues the replacement through the configured issuer. Minimises churn.
  • Immediate: reissue right now — skip the renewal window. Use when the observed cert is near expiry or when compliance demands you rotate onto the sanctioned issuer without delay.

05What happens after adoption

  • The managed flag flips on the discovered record — it stops showing up in the "shadow" filter.
  • Drift detection stays active: if someone swaps the cert out-of-band, the next scan flags it and opens a finding.
  • The renewal scheduler includes the cert in its regular sweep.
  • Distributions (if attached) execute on the next renewal.

06Removing management

There is no "un-manage" button. If you added a cert by mistake, delete the managed record (Certificates → … → Delete). The discovered record remains and reverts to shadow.

07Bulk import

Multi-select in the inventory → Manage selected. The wizard batches Step 2–4 across many certs as long as they can share the same issuer / renewal settings. The shape is intentionally restrictive so the batch doesn't silently diverge — to import with different issuers per cert, run the wizard individually.

08Troubleshooting

"no matching zone" in Step 2

One of the identifiers is not under any registered zone. Register the apex first or remove the identifier from the cert you're adopting (which requires a reissue with narrower SANs, separate from this wizard).

"issuer cannot handle identifier X"

Public CA + internal-only name, or a policy-restricted issuer. Pick a different issuer or reissue the cert elsewhere.

Immediate replacement failed with rate-limit

Hitting the CA's weekly quota. Use the Lazy path instead — the renewal window spreads the issuance over time.