Issuance walkthrough
Every form field on the New Certificate page, what it does, and what happens after you click Submit. Includes key-type guidance, policy enforcement, manual DNS, and CSR upload.
Renewal & rotation
How CertAutoPilot decides when to renew, what it does on success, what it does on failure, and how the 47-day SC-081 readiness score is computed.
Reissue a certificate
Reissue generates a fresh private key and requests a new certificate from the same issuer with the same subject / SANs. It is the right choice when you suspect key compromise, when you want to change the key algorithm (e.g. RSA 2048 โ ECDSA P-256), or when policy mandates periodic key rotation independent of the expiry-driven renewal cadence.
Revoke a certificate
Revocation tells the Certificate Authority the cert is no longer trusted and should be published in CRL/OCSP as revoked. It is a one-way action โ you cannot un-revoke, you can only issue a fresh cert. CertAutoPilot calls the issuer (ACME or MSCA), records the reason, emits the audit + notification events, and marks the cert as revoked.
Download a certificate
For operators who need to export a cert manually โ emergency deployments, debugging, audit snapshots. Downloads go through single-use tokens with short expiry, so a copied URL can't be reused. Every download emits a cert.downloaded event with the actor and the selected format.
Manual DNS challenge
When CertAutoPilot cannot (or should not) automate your DNS provider โ unsupported registrar, isolated network, change- management policy โ use the manual DNS path. The backend computes the TXT record and shows it in the UI; you add it on your DNS side; you click Validate; the backend checks propagation and completes the ACME order.
Certificate timeline & events
Every certificate in CertAutoPilot carries a timeline of every lifecycle event โ request, approval, issuance, renewal, distribution, revocation, download. Events are event-sourced (not log-parsed) and stored in the cert_events collection with cursor-based pagination; the timeline surface in the UI is just a read over this collection.
Risk scoring
Every time you open a certificate's detail page, CertAutoPilot computes a risk score from its current state โ how close to expiry, renewal health, distribution coverage, issuer health, chain integrity. The score is computed on-read (no background job), aggregates weighted factors, and maps to one of four levels: critical, high, medium, low.
Dependency graph
Every certificate participates in a web of upstream and downstream relationships: ACME account โ cert, zone โ cert, cert โ distributions โ targets. The dependency graph visualizes that web and โ more practically โ powers the safety checks that refuse destructive operations when something downstream still relies on the target.
Bulk renew
Select many certificates at once and submit a single action. The backend fans out individual renewal jobs, tracks per-cert progress, and aggregates the outcome. Idempotency keys prevent double-submission of the same batch; partial failures surface as partial_failure with the failed certs callable out for human attention.
Certificate policy engine
Project-scoped guardrails for certificate issuance and renewal: allowed key types, issuers, SAN glob rules, naming regex, and required auto-renew โ enforced synchronously with structured 422 violations.