SSL Manager - Certific...

PUQcloud Panel

Order Now | Download | FAQ

Overview

Certificate Authorities (CA) are provider profiles the panel uses to issue and renew SSL/TLS certificates via ACME. PUQcloud follows a simple rule: one module per CA.
Currently supported modules:

Let’s Encrypt (plus Let’s Encrypt Staging for safe testing)
ZeroSSL

Where to find it: Settings → SSL Manager → Certificate Authorities

What you can do here

Create and configure CA profiles (ACME account, technical DNS zone, timeouts).
Test connectivity to the CA (Save and Test) and see the CA directory endpoints.
Keep multiple profiles (e.g., Production vs Staging) and select them per-certificate.

Create a CA Profile (step-by-step)

Go to Settings → SSL Manager → Certificate Authorities and click + Create.
Enter Name and choose Module = PUQ ACME (active) → Save.
Click Edit on the new CA profile and fill in the fields (see the Field Reference below).
Click Save and Test. A modal should show API is available plus a dump of ACME directory endpoints.
Click Save.

Field Reference (when & why)

Field	What it is	When / Why
Name	Internal display name	Use meaningful names like `LE PROD`, `LE STAGING`, `ZeroSSL`.
Description	Short profile note	Note target usage: “production issuance”, “sandbox”, or project scope.
Certificate Authority	Selected CA directory	Use Let’s Encrypt Staging for tests, Let’s Encrypt or ZeroSSL for production.
Email address for the ACME account	Email used to register/manage the ACME account	Required. Prefer a shared ops mailbox (e.g., `[email protected]`) for continuity.
EAB Key ID / EAB HMAC Key	External Account Binding	Needed by some providers/plans (e.g., ZeroSSL). Leave empty if not required.
DNS Zone	Technical zone where TXT records are actually created	Example: `acme.puqcloud.com`. The target domain’s `_acme-challenge` will CNAME to this zone.
Allow wildcard certificates	Allows `*.domain`	Enable if you plan wildcard issuance (DNS-01 only).
DNS Record TTL (seconds)	TTL for created DNS records	30–60 speeds up DCV; raise slightly if your DNS is slow to propagate.
API Timeout (seconds)	Max wait for ACME API responses	Increase (e.g., 20–30) on flaky networks/CI bursts.
Save and Test (button)	Connectivity check	Opens a modal with API is available and the list of ACME endpoints. Investigate if it fails.

Provider specifics

Let’s Encrypt (incl. Staging)

Uses DNS-01 via a technical zone:
1. On the target domain you create a CNAME for _acme-challenge.domain pointing into your technical zone (e.g., _acme-challenge.domain CNAME <token>.acme.puqcloud.com).
2. Let’s Encrypt queries _acme-challenge on the target domain, follows the CNAME into the tech zone, and reads the TXT value there.
Let’s Encrypt Staging is ideal for testing without spending production rate limits.
Wildcards (*.domain) require DNS-01 and the Allow wildcard flag.

ZeroSSL

Supports account API keys so that issued certificates appear in your ZeroSSL account.
If you don’t provide keys, the system will create temporary keys per certificate automatically.
With a paid ZeroSSL plan (~$12/month), generate API keys and add them to PUQcloud so all certs are visible/manageable in your ZeroSSL panel.

Good practices

Start with Let’s Encrypt Staging to validate your flow, then enable Let’s Encrypt (production).
Keep DNS TTL low (30–60s) in the CA profile to speed up challenges.
For ZeroSSL at scale, use account keys for visibility and auditing.

Migration cheat-sheet (e.g., from Let’s Encrypt to ZeroSSL)

Create a new CA profile (add EAB/API keys if required by your ZeroSSL plan).
Save and Test to confirm directory endpoints.
Check/update your technical DNS zone if it differs from previous setup.
Issue a test cert on a non-critical domain to validate DCV.
For new certs, select the new CA in the creation form. For existing certs, you cannot “switch issuer”; issue a new certificate under the new CA and deploy it.
Verify Days Remaining / Auto Renew behavior on new certs (and, with ZeroSSL keys, that issues appear in the ZeroSSL account).

Troubleshooting

“Save and Test” doesn’t show “API is available”
- Check selected CA, network access, EAB keys (if required), and API Timeout.
LE DNS validation fails
- Confirm the CNAME is correct and already resolves to the tech zone; wait for TTL.
Wildcard fails
- Ensure Allow wildcard is enabled and you are using DNS-01.
ZeroSSL certificates don’t show in the ZeroSSL dashboard
- Add account API keys to the CA profile (temporary per-certificate keys don’t link certs to your account).

SSL Certificates — issuance workflow (Draft → CSR → Pending (CNAME) → Active), auto-renew, metadata.
DNS Manager — managing your technical zone and verifying _acme-challenge records.
Email & Notifications — reminders for expiry and operational alerts.

Login Page

Dashboard and Menu Overview

Clients: Manage Clients Overview

Clients: Manage Users Overview

Products: Manage Products Overview

Products: Product Groups Overview

Monitoring: Task Queue Overview

Monitoring: Admin Sessions Overview

Monitoring: Activity Log Overview

Monitoring: Module Log Overview

Monitoring: Notification History Overview

Staff: Admins Management Overview

Staff: Managing Administrator Groups Overview

Automation: Scheduler Overview

Automation: Horizon Overview

Email & Notifications: Notification Senders Overview

Email & Notifications: Notification Layouts Overview

Email & Notifications: Notification Templates

General: General Settings

General: Countries

General: Currencies

Manage Dashboard

Create and manage Clients

Create and manage users

Transactions Page

Create and manage a Home Company

Create and manage Tax Rules

Create and Manage a Product

Create and Manage Product Groups

Create and Manage an Attribute Group

Create and Manage Product Option Groups

Check and manage Task Queue

Check and manage Admin Sessions

Check and manage Client Sessions

Check and manage Activity Log

Check and manage Module Log

Check and manage Notification History

Create & Manage Administrators

Create & Manage Administrator Groups

Manage scheduler in the Admin Area

Manage Notification Senders in the Admin Area

Manage Notification Layouts in the Admin Area

Manage Notification Templates (Admin Area)

Manage General on Admin Area

Сheck Countries in the Admin Area

Create and manage Currencies in the Admin Area

SSL Manager - Certificate Authorities

SSL Manager - SSL Certificates

Manage the Client Area Dashboard

Manage Your Profile in the Client Area

Manage Invoices in the Client Area

Check Transactions in the Client Area

Account & Security: manage profile, password, verification, and 2FA