FAQ – Frequently Asked Questions

Is Certeasy a certificate authority (CA)?

No. Certeasy is not a CA and does not issue public certificates. It acts as an internal ACME server in front of your existing Microsoft ADCS CA. All issuance remains on-prem.

Do I need to expose Certeasy on the Internet?

Never. Certeasy is designed to run fully on-premise. Your ACME clients point to an internal URL such as:
https://acme.your-domain.local/directory.

How is Certeasy installed?

You install Certeasy on an internal server, connect it to your ADCS CA, and configure your servers to use the internal ACME URL.

Does Certeasy require Internet access?

Not for its PKI work, and it can run fully air-gapped. Certificates, private keys, CSRs, the domain names you issue for, ACME data, DNS configuration and the audit log never leave your network. No telemetry, no analytics.
By default (online mode), Certeasy makes a single outbound connection: HTTPS to certeasy.tech for the license lifecycle (registration, validation, automatic renewal, plan changes). The only thing it sends is the machine name you set at registration, nothing operational.
For air-gapped or strictly segmented networks, set offline mode (license: offline: true): zero outbound connections, and you update the license manually.
A self-update mechanism is on the roadmap. The EU Cyber Resilience Act (CRA, Annex I) requires automatic security updates to be enabled by default, with a clear and easy opt-out; Certeasy will follow that model in online mode (on by default, opt-out), while air-gapped or offline deployments never auto-update.

Is Certeasy production-ready?

Certeasy v0.9.3 is a stable release, already used for day-to-day issuance, renewal and revocation. Core ACME issuance, HTTP-01, DNS-01 and TLS-ALPN-01 validation, and revocation (CRL/OCSP propagation to ADCS) are all implemented and supported, with certbot, acme.sh and lego. We reserve the full production-ready label for the upcoming V1 milestone, which closes a couple of known, non-blocking limitations (see below). Upgrading to V1 will be recommended once available.
Plan limits (managed server quota, CA count) are enforced by the binary at startup and on every new order, including during the evaluation period.

Are there any known limitations?

Yes, and we list them openly. In v0.9.3:
Data retention: there is no automatic cleanup yet, so ACME records (orders, authorizations, challenges) accumulate over time. On long-lived deployments, plan periodic maintenance until automated retention ships.
Health / metrics endpoints: there are no built-in HTTP health or metrics endpoints yet, so supervision relies on logs and database introspection for now.
Neither blocks core certificate automation, and both are scheduled for the V1 release.

Can I use certbot with Certeasy?

Yes. Certeasy supports any standard ACME client including Certbot, acme.sh, lego, Caddy, Posh-ACME, and others.

Which ACME challenges are supported?

Certeasy supports HTTP-01, DNS-01 and TLS-ALPN-01 on all plans, today. Distributed validators for segmented networks are planned for V3.

If Certeasy goes down, are my certificates at risk?

No. Certificates already issued keep working regardless. ACME clients start renewal 30 days before expiry, giving ample time to restore the service before any certificate actually expires.

What's the difference between the Free, Starter, Pro and Enterprise plans?

Free: 1 production installation, ~25 managed servers, 1 ADCS production authority. Renewed annually at €0, price locked.
Starter: €299/year, 1 production installation, ~250 managed servers, 2 ADCS production authorities.
Pro: €499/year, 1 production installation (Active/Passive included), unlimited managed servers, 3 ADCS production authorities, PostgreSQL.
Enterprise: €999/year/CA, everything in Pro + up to 5 ADCS production authorities, split deployment, Active/Active HA (V2), distributed validators (V3).

What does "1 production installation" mean?

One license covers one production Certeasy deployment. Dev and staging instances may run under the same license at no additional cost. They do not count as production installations.

Can I run multiple Certeasy instances?

Yes. One license covers one production installation — dev and staging are included. For Active/Passive high availability, Pro includes a passive standby at no extra cost. Active/Active multi-node deployments require an Enterprise license (available in V2).

How does high availability work?

Active/Passive (Pro+): run two Certeasy instances against the same PostgreSQL database with a load balancer or keepalived in front. No additional feature required — this is a standard deployment pattern.
Active/Active (Enterprise, V2): multiple active nodes with distributed job coordination. Requires PostgreSQL.

Do plan limits apply right now?

Yes. The managed server quota (distinct ACME accounts with at least one active certificate) and CA count limits are enforced according to your plan, including during the evaluation period. You can switch to a different evaluation plan during the trial; the new plan's limits apply from that point.

What happens after the 6-month free trial?

Nothing automatic. 15 days before expiry, we'll ask whether you want to continue. If you subscribe, you pay for a year. A new license file is sent to your email. Replace the existing certeasy.lic on your server: no reinstallation, no configuration change. Your license is extended by one year from the trial expiry date, not from the payment date.
On connected installations, auto-renewal can be configured so the binary fetches and replaces the file itself. On air-gapped servers, the manual file replacement is the only step required.
If you stop, the license simply expires.

What does "price stability over time" mean?

Once you become a customer, your price stays the same. Any future pricing changes will apply only to new customers.

What database should I use?

SQLite (Free, Starter): zero setup, single file, sufficient for most deployments up to ~250 managed servers.
PostgreSQL (Pro+): recommended for larger infrastructures, Active/Passive HA, and teams that already operate a PostgreSQL stack.

Are the certificates secure?

Yes. Certeasy uses your existing ADCS templates and policies. Certificates are identical to those issued through Microsoft consoles, just automatically.

Can we audit the source code before buying?

Yes. Source code access is available under NDA for security evaluation purposes — whether you are a prospect or an existing customer. Contact us at [email protected] to request access.

What features are planned next?

V2: split deployment (ADCS connector on Tier 0), Active/Active high availability.
V3: distributed validation agents for segmented networks.
V4: admin dashboard, certificate expiry tracking, network discovery.

How does support work?

Free: email support (best-effort, for now).
Starter: email support.
Pro: priority email support.
Enterprise: priority email and Teams support.
There is no phone support.

Do you offer onboarding or professional services?

Yes. Paid onboarding and advanced-support engagements are available on request, on any plan. A one-year license is included in the engagement, so the license cost for that year is effectively covered by the service. Contact us at [email protected] for a quote.

Can I upgrade from Starter to Pro or Enterprise?

Yes, at any time. Upgrading requires no reinstallation.