Free tier quickstart
Your first cert in 60 seconds. Free. No credit card. 25 certs total, TTLs 1h / 1d / 7d / 14d / 30d.
Who this is for
Platform engineers, DevOps engineers, security tooling builders, homelab operators, and anyone who needs a real CA for CI/CD, integration tests, pen tests, staging environments, internal services, or conference demos. If you want a private CA that enforces expiry hygiene rather than relying on your team to remember to rotate, you’re in the right place.
Prerequisites
openssl(any 1.1+ or 3.x)curlandjq- A Google account on the pre-launch SSO allowlist (this is temporary; open signup ships at T0)
1. Sign up
Open https://mint.stackrunner.dev and click Sign up with Google.
Pick a handle (3–32 chars, [a-z0-9-], can’t start with a digit). The
dashboard shows your bearer token once — copy it now; we don’t
store the plaintext.
export STACKRUNNER_BEARER='<your-43-char-bearer-from-the-claim-modal>'export STACKRUNNER_HANDLE=your-handle2. Make a keypair + CSR
openssl ecparam -name prime256v1 -genkey -noout -out leaf.keyopenssl req -new -key leaf.key -out leaf.csr \ -subj "/CN=${STACKRUNNER_HANDLE}.leaf.example" \ -addext "subjectAltName = DNS:${STACKRUNNER_HANDLE}.leaf.example, DNS:hello.lan"We only accept P-256 (prime256v1). RSA and Ed25519 are intentionally
not supported at Free tier — covered at Dev.
3. Mint the cert
curl -sS -X POST \ -H "Authorization: Bearer ${STACKRUNNER_BEARER}" \ -H "Content-Type: application/json" \ -d @- \ https://mint.stackrunner.dev/v1/free/ <<EOF{ "version": "v1", "csr_pem": $(jq -Rs . < leaf.csr), "ttl": "7d"}EOFAllowed TTLs: 1h, 1d, 7d, 14d, 30d (any mix; 25 certs total
across the lifetime of the pack — you can spend the full 25 on a
single TTL bucket if you want).
Response shape on success:
{ "version": "v1", "cert_pem": "-----BEGIN CERTIFICATE-----\n…", "serial": "ec1b7cc69f1911ceac4d69a013f2e7f99d4cfbf", "fingerprint": "b38f2fce3427bd4b…", "issued_at": "2026-05-19T00:02:03Z", "expires_at": "2026-05-26T00:03:03Z"}Save the cert:
jq -r .cert_pem > leaf.cert.pem < /tmp/response.json4. Verify the chain
The shared trust artifacts are at pki.stackrunner.dev/ca/.
curl -sS https://pki.stackrunner.dev/ca/intermediate-free.pem > intermediate.pemcurl -sS https://pki.stackrunner.dev/ca/root.pem > root.pemopenssl verify -CAfile root.pem -untrusted intermediate.pem leaf.cert.pem# expected: leaf.cert.pem: OKThat’s it — you have a real X.509 cert signed by a CA whose private keys live in Google Cloud KMS, with a defined expiry, ready to drop into your dev stack.
Common errors
| HTTP | code | what it means |
|---|---|---|
401 | no_bearer | Authorization: Bearer … header missing |
401 | bad_token | bearer doesn’t match KV — typo or stale |
400 | bad_ttl | TTL must be one of 1h/1d/7d/14d/30d |
400 | missing_csr | empty csr_pem or unparseable |
402 | quota_exhausted | hit the 25-certs-total ceiling — buy a Mint Pack |
402 | ttl_quota_exhausted | hit the per-TTL 25-cert ceiling — same as the monthly cap, so in practice you’ll see quota_exhausted first |
429 | rate_limited | >5 certs/min on this handle |
503 | free_tier_disabled | Free-tier mint kill-switch is on (current state) |
What’s next
- Mint Pack — 25 more certs, any TTL 1h–90d. Same shared CA, same bearer flow. Buy from your dashboard.
- Dev tier — your own dedicated CA, 5,000 certs/mo, batch minting, mTLS-friendly birth cert. See Dev tier quickstart.
Help
- Email:
[email protected] - Status: https://status.stackrunner.dev