Skip to main content

Concepts

The handful of nouns CertAutoPilot operates on — organization, project, ACME account, zone, certificate, distribution target — and how they fit together.

Organization

The top-level tenant. A CertAutoPilot deployment hosts exactly one organization. The first user to complete setup becomes the owner; ownership is transferable but cannot be deleted.

The organization owns billing-shaped concerns even on self-hosted: licence key, audit retention policy, KEK material, syslog forwarder, and the global RBAC role set.

Project

An isolated namespace inside the organization. Almost every other object — ACME accounts, DNS credentials, certificates, distribution targets, jobs — belongs to exactly one project. Members are granted roles per project.

Use projects to isolate environments (production, staging) or business units (retail, internal-tools). Cross-project references are not allowed; if you need to reuse a credential, create one per project.

Roles & RBAC

Four roles, hierarchical. A higher role inherits everything the lower can do.

RoleScopeCan do
ownerorgEverything. Manage members, projects, KEK, licence.
adminprojectManage all project objects. Approve any request.
operatorprojectIssue, renew, distribute. Subject to approval policy.
viewerprojectRead-only.

ACME accounts & CA providers

An ACME account is a registration with a public CA — Let's Encrypt, Google Trust Services, ZeroSSL, Sectigo, SSL.com, GoDaddy, Actalis, GlobalSign, DigiCert. The account holds the EAB binding (if required) and the account key.

For Microsoft AD CS, you instead create a CES/CEP profile or WSTEP profile. These are project-level too.

DNS credentials & zones

A DNS credential is provider-specific authentication (API token, service account JSON, Cloudflare account-id+token, etc.). A zone binds a DNS apex (e.g. example.com) to a credential — that's how CertAutoPilot decides which token to use when publishing a DNS-01 challenge.

Certificate

The first-class object. A certificate has a CN, optional SANs, key type, issuer (an ACME account or AD CS profile), policy, renewal window, and an optional list of distribution targets. It also has a timeline — the immutable, HMAC-chained event log of everything that has ever happened to it.

Distribution target

A destination + credential pair: SSH host, K8s namespace, F5 partition, Vault PKI mount, Webhook URL, NetScaler appliance, IIS server, etc. Targets are reusable across many certificates.

Job

Anything asynchronous — issue, renew, distribute, scan, validate — runs as a job on the worker. Jobs are queued in MongoDB, retried with exponential backoff, and exposed in the UI under Jobs with structured logs and timing data.

See also