Certificates

Three sections on this page

1. Portal cert — the cert Nginx presents. Shows issuer, SANs, expiry, renewal method (Let's Encrypt / Cloudflare Origin / self-signed).
2. Watchlist — external certs you want monitored. Each entry is polled on the schedule in Admin → Updates; alerts fire at 30/14/7 days remaining.
3. CSR generator — produces a private key + certificate signing request you can hand to a CA. Supported key types: ecdsa_p256, ecdsa_p384, rsa2048, rsa3072, rsa4096, ed25519.

Watchlist entries

Add a host + port, optionally a friendly label. Meridian opens a TLS connection, pulls the leaf cert, stores its fingerprint, issuer, and expiry. On refresh it re-pulls and flags a fingerprint changed banner when the cert has rotated (useful for detecting unannounced deploys).

Gotchas

• Self-signed portals show "no letsencrypt cert (self-signed portal?)" in System Health — that's an informational warn, not a failure.
• CSR generation is local-only; the private key is stored in the vault (AES-256-GCM). Download the PEM once — you can't re-export it later.