SSL Manager - SSL Certificates PUQcloud Panel Order Now | Download | FAQ Overview The SSL Certificates section is your single place to issue, renew, import, and store SSL/TLS certificates. Each certificate page is split into two columns: Left column — generated by the panel and identical for all certificates (fields, statuses, PEM blocks, metadata). Right column — module-specific, driven by the selected CA module (PUQ ACME). It may show provider-specific hints or controls. Where to find it: Settings → SSL Manager → SSL Certificates What you can do Create a certificate (set the domain, choose a CA profile, add SANs/aliases). Generate a CSR and a private key. Complete domain control validation (DNS-01 via CNAME → tech zone). Enable Auto-renewal and track Days Remaining. View/copy Certificate / Private Key / CSR (PEM). Change status (Draft → Active via standard actions). Delete certificates. (Optionally) Import existing certificates. The private key is encrypted in the database and visible only on the certificate’s page. Certificates list The list shows: Domain, Certificate Authority (PUQ ACME) Status (e.g., ACTIVE, “X DAYS”, “AUTO RENEW: 7”) Actions: Edit / Delete + Create to add a new certificate Create a certificate (step-by-step) Click + Create in SSL Certificates. Fill in: Domain — primary domain (CN). Certificate Authority — select a CA profile (e.g., Let’s Encrypt / ZeroSSL). Aliases — SAN domains, one per line (optional). Click Save — this only saves form data (no keys or certificate yet). Click Generate CSR: The system creates the CSR and Private Key (they do not exist before this step). The private key is encrypted in DB; it is only visible on this page. Status switches to Pending. The panel shows instructions to create a CNAME for _acme-challenge. pointing into your tech zone (e.g., acme.puqcloud.com). Once the CNAME resolves, issuance starts automatically. When finished, the card turns Active and shows all metadata/PEMs. Certificate page — left column fields Top block (editable in Draft) Certificate Status (Draft toggle) — draft state. Auto Renew Days — how many days before expiry to auto-renew (typically 7). Days Remaining — remaining days until expiry (LE defaults are ~90 days from issue). Email (ACME account email) and Agree to Terms of Service — required by the CA policy. Domain & Organization Domain — CN. Aliases (SANs) — additional domains/subdomains, one per line. Wildcard — *.domain (works with DNS-01 and “Allow wildcard” enabled in the CA profile). Email (contact) — certificate contact (may differ from ACME account email, if present). Organization / Organizational Unit / Country / State / Locality — subject fields (as required by policy). CA / Crypto / Metadata Certificate Authority — selected profile (read-only once active). Module = PUQ ACME — issuance module. Key Size, Signature Algorithm — set/visible after CSR/issuance. Issued At / Expires At / CSR Valid From / Renewed At — lifecycle timestamps. Issuer — e.g., Let’s Encrypt / Let’s Encrypt Staging. Serial Number (DEC/HEX), Fingerprints (MD5/SHA1/SHA256) — identifiers. Certificate PEM / Private Key PEM / CSR PEM — PEM blocks. Actions Generate CSR — create CSR + private key (mandatory before issuance). Change Status — service actions. Save — persist form changes (no CA interaction). In Draft, the upper part of the left column is editable; after issuance, many fields become read-only. Workflow: statuses & transitions Draft Edit primary fields (domain, SANs, email, ToS, auto-renew threshold). Save only stores data; no key/CSR is created. Generate CSR Creates CSR and Private Key (encrypted; visible only on this page). Crypto fields/PEM blocks appear. Pending (CNAME → tech zone) The panel displays the exact CNAME instruction for _acme-challenge. → into your tech zone. As soon as the CNAME resolves, the panel continues issuance (DNS-01). Active Certificate is issued; Certificate PEM is available; a success panel shows “Certificate is active!”. Days Remaining and Auto Renew operate; crypto/metadata are filled. Expired / Error / Revoked Expired — reissue/renew required. Error — check logs/CA setup/DNS path. Revoked — revoked per CA policy. Auto-renewal Controlled by Auto Renew Days (e.g., 7). The panel tracks Days Remaining and triggers renewal ahead of expiry. For LE/ZeroSSL via DNS-01, ensure your CNAME and tech zone remain intact. Importing an existing certificate (if used) Open SSL Certificates → + Import (or equivalent). Paste CRT / Private Key / CA Bundle in PEM. Save and verify validity/expiry. Configure Auto Renew manually if needed (imports are usually not tied to ACME). Key security The private key is created at Generate CSR, encrypted in the database, and never shown outside this certificate page. Visibility follows your role-based access. Export a secure copy and store it in your organization’s secret vault. Troubleshooting Symptom Likely cause Fix Stuck in Pending CNAME not resolving / wrong target Verify _acme-challenge. name and target in tech zone; wait for TTL. Issuance doesn’t start CSR not generated Click Generate CSR, then follow CNAME steps. No “Certificate is active!” after CNAME DCV incomplete / CA error Check logs; ensure the tech zone is publicly resolvable. Auto-renew doesn’t trigger Bad Auto Renew Days or broken CNAME Use a sensible threshold (e.g., 7) and verify CNAME/tech zone. PEM mismatch on import Key/cert pair doesn’t match Import the correct pair or reissue. Related Certificate Authorities — profiles, tech zone, TTL, EAB. DNS Manager — manage your tech zone and verify _acme-challenge resolution. Notifications — expiry and operational alerts.