Outbound network access
The hosts and ports CertAutoPilot reaches from your network. Use this page to scope egress firewall rules. Only the services you actually configure need to be reachable — start with the always-on group, then open the rest as you turn features on.
Always — required for the product to run. On use — only required when you enable that feature or configure that provider. Customer-defined — host is whatever you point it at; listed here so the category isn't forgotten.
Always
| Service | Host | Port |
|---|---|---|
| License | license-api.cloudnativeworks.com | 443 / HTTPS |
Public certificate authorities
Open only the CAs you plan to issue from.
| Service | Host | Port |
|---|---|---|
| Let's Encrypt (production) | acme-v02.api.letsencrypt.org | 443 / HTTPS |
| Let's Encrypt (staging) | acme-staging-v02.api.letsencrypt.org | 443 / HTTPS |
| Google Trust Services (production) | dv.acme-v02.api.pki.goog | 443 / HTTPS |
| Google Trust Services (staging) | dv.acme-v02.test-api.pki.goog | 443 / HTTPS |
| Sectigo | acme.sectigo.com | 443 / HTTPS |
| GlobalSign Atlas | emea.acme.atlas.globalsign.com | 443 / HTTPS |
| DigiCert | one.digicert.com | 443 / HTTPS |
| SSL.com | acme.ssl.com | 443 / HTTPS |
| ZeroSSL | acme.zerossl.com | 443 / HTTPS |
| Actalis | acme-api.actalis.com | 443 / HTTPS |
| GoDaddy ACME | acme.godaddy.com | 443 / HTTPS |
Revocation checks
Hosts come from the OCSP / CRL extensions inside each CA's certificate chain. They are not fixed up front. The list below is what most public CAs use today; treat it as guidance, not as a closed set.
| Service | Host (typical) | Port |
|---|---|---|
| OCSP responders | ocsp.* hosts of the issuing CA | 80 / HTTP |
| CRL distribution points | crl.* hosts of the issuing CA | 80 / HTTP (sometimes 443) |
DNS providers
Open only the providers you store credentials for.
| Service | Host | Port |
|---|---|---|
| Cloudflare | api.cloudflare.com | 443 / HTTPS |
| AWS Route 53 | route53.amazonaws.com | 443 / HTTPS |
| AWS Lightsail | lightsail.*.amazonaws.com (regional) | 443 / HTTPS |
| Google Cloud DNS | dns.googleapis.com | 443 / HTTPS |
| Azure DNS | management.azure.com | 443 / HTTPS |
| DigitalOcean | api.digitalocean.com | 443 / HTTPS |
| GoDaddy | api.godaddy.com | 443 / HTTPS |
| UltraDNS | api.ultradns.com | 443 / HTTPS |
| Akamai Edge DNS | *.akamaiapis.net | 443 / HTTPS |
| Hetzner | dns.hetzner.com | 443 / HTTPS |
| OVH | *.api.ovh.com (regional) | 443 / HTTPS |
| Namecheap | api.namecheap.com, api.sandbox.namecheap.com | 443 / HTTPS |
Discovery and domain tracking
On use — these turn on with the matching feature.
| Service | Host | Port |
|---|---|---|
| Certificate Transparency search | crt.sh | 443 / HTTPS |
| WHOIS / domain expiration | Registry-specific (e.g. whois.verisign-grs.com) | 43 / TCP |
| TLS scanner | Customer-defined targets | 443 / TLS (or custom) |
Notifications
| Service | Host | Port |
|---|---|---|
| Slack incoming webhooks | hooks.slack.com | 443 / HTTPS |
| Microsoft Teams webhooks | *.webhook.office.com, outlook.office.com | 443 / HTTPS |
| SMTP relay (notification) | Customer-defined | 25 / 465 / 587 |
Distribution targets
Customer-defined hosts. Listed by module so the firewall request covers them.
| Module | Host | Port (default) |
|---|---|---|
| SSH | Customer-defined | 22 / SSH |
| WinRM (generic) | Customer-defined | 5985 / 5986 |
| Microsoft IIS | Customer-defined | 5985 / 5986 (WinRM) |
| Kubernetes API | Customer-defined | 443 / 6443 |
| F5 BIG-IP | Customer-defined | 443 / HTTPS |
| Citrix NetScaler | Customer-defined | 443 / HTTPS |
| HashiCorp Vault | Customer-defined | 8200 / HTTPS |
| Webhook | Customer-defined | 443 / HTTPS |
| SMTP delivery | Customer-defined | 25 / 465 / 587 |
| Huawei Cloud (ELB / CDN / WAF) | *.myhuaweicloud.com (regional) | 443 / HTTPS |
| Microsoft AD CS (CES / CEP) | Customer-defined | 443 / HTTPS |
Post-distribution validation
| Service | Host | Port |
|---|---|---|
| TLS fingerprint check | Customer-defined endpoints | 443 / TLS (or custom) |
Telemetry (optional)
Disabled by default. Only outbound when an OTLP endpoint is configured.
| Service | Host | Port |
|---|---|---|
| OpenTelemetry collector (gRPC) | Customer-defined | 4317 / gRPC |
| OpenTelemetry collector (HTTP) | Customer-defined | 4318 / HTTPS |
Air-gapped notes
- The license host is the only always-on egress. Talk to support for offline license activation.
- Public ACME CAs are not reachable in an isolated network — issue from Microsoft AD CS or another internal CA instead.
- OCSP / CRL fetches can be disabled in revocation settings, or routed through an HTTP proxy.
- WHOIS (port 43) is frequently blocked on enterprise networks; turn off domain expiration tracking if it is.