Wildcards that
renew themselves.
ACME automation, dual-CA failback, mTLS client certs, and CT log watching -- all from a single API surface.
Seven steps.
Zero clicks.
Request a certificate via API. Relays handles ACME negotiation, DNS-01 challenge creation, validation polling, and renewal scheduling -- all atomically.
Challenge created.
Challenge cleaned.
Because Relays owns your DNS, the DNS-01 challenge record is created, propagated, validated, and removed -- without leaving stale TXT records behind.
One CA down?
Next CA up.
If Let's Encrypt rate-limits or suffers an outage, Relays automatically falls back to ZeroSSL within the same ACME pipeline. No config change. No alert fatigue.
| CA | Role | Status | Avg Issuance | Uptime |
|---|---|---|---|---|
| Let's Encrypt | primary | healthy | 3.2s | 99.8% |
| ZeroSSL | failback | healthy | 4.1s | 99.6% |
| Buypass Go | tertiary | standby | 5.8s | 98.2% |
Client certificates.
For machines.
Issue short-lived mTLS client certs for service-to-service auth. OCSP stapling, CRL distribution, and one-click revocation included.
Every issuance.
Watched.
Relays monitors Certificate Transparency logs for every domain you manage. If an unexpected CA issues a cert for your domain, you get alerted within minutes.
| Timestamp | Issuer | Subject | Verdict |
|---|---|---|---|
| 2026-04-11 07:12:03 | Let's Encrypt | *.example.com | expected |
| 2026-04-11 07:12:04 | Let's Encrypt | example.com | expected |
| 2026-04-11 09:44:18 | Unknown CA | admin.example.com | ALERT |
| 2026-04-11 11:30:00 | ZeroSSL | staging.example.com | expected |