Ignisfox
Integration

CA providers

CA provider integrations pull already-issued certificates from paid certificate authorities (GoDaddy, Sectigo, DigiCert) into your Ignisfox vault. Saves you from manually downloading + uploading every time a cert reissues.

Requires Starter or higher. Free tier doesn't include CA providers.

Supported CAs

  • GoDaddy — API-based pull. Uses the Customers API v1 + v2 endpoints.
  • GoDaddy (bookmarklet path) — for certificates that only appear in the customer dashboard's internal BFF. Cookie-auth via your browser.
  • Sectigo, DigiCert — on the roadmap. Email support if you need them now; we can accelerate with a customer signal.

GoDaddy — API credentials

  1. Sign in to the GoDaddy Developer Portal at developer.godaddy.com. Generate an API key + secret with production-environment access.
  2. Find your customer ID from the account settings (format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
  3. In Ignisfox, go to /dashboard/ca-providers Add provider → pick GoDaddy, paste the key + secret + customer ID. The credentials are sealed with your tenant DEK before hitting the database.
  4. Hit Sync all active or do targeted pulls via Pull by ID. Pulled certs land in the vault and (optionally) in a cert group you assign.

GoDaddy — bookmarklet path

The public v2 /certificates endpoint returns at most 100 rows oldest-first. If your account has many expired / revoked certs, your newer ISSUED certs won't appear. The internal dashboard BFF (bff.pcx.godaddy.com) has no such cap — but it's cookie-authenticated, meaning we can't call it server-side.

Workaround: a bookmarklet. Flow:

  1. Go to your CA provider row → Bookmarklet.
  2. Drag the orange button into your bookmarks bar.
  3. Visit the GoDaddy certificate dashboard (dcc.godaddy.com) signed in.
  4. Click the bookmarklet. It fetches your full cert list from the internal BFF using your browser's cookies and POSTs the cert IDs to our /api/ca-ingest/<token> endpoint.
  5. Ignisfox then pulls each cert via the public API and inserts them into your vault.

What happens on re-issue

When you pull a cert whose CN already exists in your vault under the same CA provider, we mark the new cert as inheriting the previous cert's group. That way any push targets bound to that group auto-deploy the renewed cert on their next tick (if scheduled push is enabled) without you touching anything.

Rate limits + caps

  • 40 certs per bulk sync — keeps the sync function under Vercel's 60s ceiling.
  • 2 CA providers on Starter, 10 on Team, unlimited on Enterprise.
  • GoDaddy's own API rate limits apply upstream. We don't proxy them — burst too hard and you'll get 429s back.