+        if ($path eq '/api/hosts/certificate') {

+            my $payload = request_payload(\%headers, $body);

+            return set_host_certificate($client, $payload);

+        }

+        if ($path eq '/api/hosts/issue-certificate') {

+            my $payload = request_payload(\%headers, $body);

+            return issue_host_certificate($client, $payload);

+        }

+    my %host_tls = host_tls_payloads($dbh);

+    my @hosts = map { host_payload($_, $host_tls{ canonical_host_fqdn($_) }) } @{ $registry->{hosts} };

+sub host_tls_payloads {

+    my ($dbh) = @_;

+    my %rows;

+    my $sth = $dbh->prepare(<<'SQL');

+SELECT

+    ht.host_fqdn,

+    ht.certificate_id,

+    c.common_name,

+    c.not_after,

+    c.fingerprint_sha256,

+    c.status AS certificate_status

+FROM host_tls ht

+LEFT JOIN certificates c ON c.certificate_id = ht.certificate_id

+ORDER BY ht.host_fqdn

+SQL

+    $sth->execute;

+    while (my $row = $sth->fetchrow_hashref) {

+        my $host_fqdn = clean_scalar($row->{host_fqdn} || '');

+        next unless length $host_fqdn;

+        my $cert_id = clean_scalar($row->{certificate_id} || '');

+        my %payload = (

+            certificate_id => $cert_id,

+        );

+        if (length $cert_id) {

+            $payload{certificate} = {

+                id => $cert_id,

+                name => $cert_id,

+                common_name => clean_scalar($row->{common_name} || ''),

+                status => clean_scalar($row->{certificate_status} || ''),

+                not_after => clean_scalar($row->{not_after} || ''),

+                fingerprint_sha256 => clean_scalar($row->{fingerprint_sha256} || ''),

+                has_private_key => json_bool(ca_private_key_exists($cert_id)),

+            };

+        }

+        $rows{$host_fqdn} = \%payload;

+    }

+    return %rows;

+}

+

+sub set_host_certificate {

+    my ($client, $payload) = @_;

+    my $host_fqdn = normalize_dns_name($payload->{host_fqdn} || $payload->{fqdn} || '');

+    my $raw_certificate_id = clean_scalar($payload->{certificate_id} || $payload->{cert_id} || '');

+    my $certificate_id = clean_certificate_id($raw_certificate_id);

+    return send_json($client, 400, { error => 'invalid_host' }) unless $host_fqdn;

+    return send_json($client, 400, { error => 'invalid_certificate' })

+        if length($raw_certificate_id) && !length($certificate_id);

+

+    my $dbh = dbh();

+    return send_json($client, 404, { error => 'host_not_found' })

+        unless db_scalar($dbh, "SELECT COUNT(*) FROM hosts WHERE fqdn = ? AND status = 'active'", $host_fqdn);

+    if (length $certificate_id) {

+        return send_json($client, 400, { error => 'invalid_certificate' })

+            unless db_scalar($dbh, "SELECT COUNT(*) FROM certificates WHERE certificate_id = ? AND status <> 'retired'", $certificate_id);

+    }

+

+    my $now = iso_now();

+    with_transaction($dbh, sub {

+        upsert_host_tls_row($dbh, $host_fqdn, $certificate_id, $now);

+        set_schema_meta($dbh, 'registry_updated_at', $now);

+    });

+    return send_json($client, 200, { ok => json_bool(1), host_fqdn => $host_fqdn, certificate_id => $certificate_id });

+}

+

+sub issue_host_certificate {

+    my ($client, $payload) = @_;

+    my $host_fqdn = normalize_dns_name($payload->{host_fqdn} || $payload->{fqdn} || '');

+    return send_json($client, 400, { error => 'invalid_host' }) unless $host_fqdn;

+

+    my $registry = load_registry();

+    my ($host) = grep { canonical_host_fqdn($_) eq $host_fqdn } @{ $registry->{hosts} || [] };

+    return send_json($client, 404, { error => 'host_not_found' }) unless $host;

+

+    my @dns_names = unique_preserve(grep { length $_ } (

+        $host_fqdn,

+        declared_alias_names($host),

+        derived_alias_names($host),

+    ));

+    my $certificate_id = clean_certificate_id($host_fqdn . '-' . strftime('%Y%m%d%H%M%S', localtime));

+    my $dbh = dbh();

+    my $issued = eval {

+        ca_manager_output('issue', $certificate_id, @dns_names);

+        ca_manager_json('list-json');

+        with_transaction($dbh, sub {

+            my $now = iso_now();

+            upsert_host_tls_row($dbh, $host_fqdn, $certificate_id, $now);

+            set_schema_meta($dbh, 'registry_updated_at', $now);

+        });

+        1;

+    };

+    if (!$issued) {

+        return send_json($client, 409, { error => 'certificate_issue_failed', detail => clean_scalar($@ || '') });

+    }

+

+    my ($cert) = grep { ($_->{id} || '') eq $certificate_id } certificate_payloads($dbh);

+    return send_json($client, 200, {

+        ok => json_bool(1),

+        host_fqdn => $host_fqdn,

+        certificate_id => $certificate_id,

+        certificate => $cert || { id => $certificate_id, name => $certificate_id, dns_names => \@dns_names },

+    });

+}

+

+    my ($host, $tls) = @_;

+    $copy{certificate_id} = clean_scalar($tls->{certificate_id} || '');

+    $copy{certificate} = $tls->{certificate} if $tls && ref($tls->{certificate}) eq 'HASH';

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS host_tls (

+    host_fqdn TEXT PRIMARY KEY,

+    tls_mode TEXT NOT NULL DEFAULT 'local-ca',

+    certificate_id TEXT,

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE CASCADE,

+    FOREIGN KEY (certificate_id) REFERENCES certificates(certificate_id) ON UPDATE CASCADE ON DELETE SET NULL

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE INDEX IF NOT EXISTS idx_host_tls_certificate

+ON host_tls(certificate_id)

+sub upsert_host_tls_row {

+    my ($dbh, $host_fqdn, $certificate_id, $now) = @_;

+    $certificate_id = clean_certificate_id($certificate_id || '');

+    $dbh->do(

+        'INSERT INTO host_tls (host_fqdn, tls_mode, certificate_id, notes, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?) '

+        . 'ON CONFLICT(host_fqdn) DO UPDATE SET tls_mode = excluded.tls_mode, certificate_id = excluded.certificate_id, updated_at = excluded.updated_at',

+        undef,

+        $host_fqdn,

+        length($certificate_id) ? 'local-ca' : 'none',

+        length($certificate_id) ? $certificate_id : undef,

+        '',

+        $now,

+        $now,

+    );

+}

+

+    .host-alias-cell { display: grid; gap: 5px; min-width: 0; }

+    .host-alias-list { display: flex; flex-wrap: wrap; gap: 4px; align-items: flex-start; }

+    .host-alias-pill { display: inline-flex; align-items: center; gap: 4px; min-width: 0; margin: 0; }

+    .host-alias-label { min-width: 0; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }

+    .host-alias-remove, .host-alias-add { min-height: 28px; padding: 3px 7px; font-size: 12px; }

+    .host-alias-remove { min-height: 0; padding: 0; border: 0; background: transparent; color: var(--bad); }

+    .host-alias-remove:hover { background: transparent; }

+    .host-cert-cell { min-width: 0; }

+                  <th>Aliases</th>

+                  <th style="width: 260px">Certificate</th>

+        <label>Legacy ID<input name="id" required></label>

+        .sort((a, b) => String(a.fqdn || a.id || '').localeCompare(String(b.fqdn || b.id || '')))

+          return `<tr data-id="${escapeHtml(h.id)}" data-host-fqdn="${escapeHtml(h.fqdn || '')}">

+            <td>${renderHostAliasCell(h)}</td>

+            <td class="host-cert-cell">${renderHostCertificateCell(h)}</td>

+      document.querySelectorAll('[data-host-alias-add]').forEach(button => button.addEventListener('click', () => {

+        addHostAlias(button.dataset.hostAliasAdd || '').catch(e => {

+          if (!isAuthLost(e)) msg(e.message);

+        });

+      }));

+      document.querySelectorAll('[data-host-alias-remove]').forEach(button => button.addEventListener('click', () => {

+        removeHostAlias(button.dataset.hostAliasRemove || '', button.dataset.hostAliasName || '').catch(e => {

+          if (!isAuthLost(e)) msg(e.message);

+        });

+      }));

+      document.querySelectorAll('[data-host-cert-select]').forEach(select => {

+        select.addEventListener('change', () => {

+          setHostCertificateFromSelect(select).catch(e => {

+            if (!isAuthLost(e)) msg(e.message);

+            select.value = select.dataset.currentCertificate || '';

+          });

+        });

+      });

+      document.querySelectorAll('[data-host-cert-issue]').forEach(button => {

+        button.addEventListener('click', () => {

+          issueHostCertificate(button.dataset.hostCertIssue || '', button.dataset.currentCertificate || '', button).catch(e => {

+            if (!isAuthLost(e)) msg(e.message);

+          });

+        });

+      });

+    function renderHostAliasCell(host) {

+      const canonical = host.fqdn ? `<span class="pill canonical host-alias-pill"><span class="host-alias-label">${escapeHtml(host.fqdn)}</span></span>` : '';

+      const aliases = (host.aliases || []).map(name => `<span class="pill host-alias-pill">

+        <span class="host-alias-label">${escapeHtml(name)}</span>

+        <button type="button" class="host-alias-remove" data-host-alias-remove="${escapeHtml(host.fqdn || '')}" data-host-alias-name="${escapeHtml(name)}" title="Delete ${escapeHtml(name)}">x</button>

+      </span>`).join('');

+      const derivedAliases = (host.derived_aliases || []).map(name => `<span class="pill derived host-alias-pill" title="derived alias">

+        <span class="host-alias-label">${escapeHtml(name)}</span>

+      </span>`).join('');

+      return `<div class="host-alias-cell">

+        <div class="host-alias-list">${canonical}${aliases}${derivedAliases}<button type="button" class="host-alias-add" data-host-alias-add="${escapeHtml(host.fqdn || '')}" title="Add alias">+</button></div>

+      </div>`;

+    }

+

+    function renderHostCertificateCell(host) {

+      const cert = host.certificate || {};

+      const certId = host.certificate_id || certId(cert) || '';

+      const row = hostCertificateRow(host);

+      const links = certId ? `<div class="vhost-cert-links">

+        <a class="linkbtn" href="/download/ca/cert/${encodeURIComponent(certId)}.crt">crt</a>

+        ${cert.has_private_key ? `<a class="linkbtn" href="/download/ca/key/${encodeURIComponent(certId)}.key">key</a>` : ''}

+      </div>` : '';

+      const validity = cert.not_after ? `<span class="muted vhost-cert-validity">${escapeHtml(certStatusLabel(daysUntil(cert.not_after)))}</span>` : '';

+      return `<div class="vhost-cert">

+        <div class="vhost-cert-main">

+          <select class="vhost-cert-select" data-host-cert-select="${escapeHtml(host.fqdn || '')}" data-current-certificate="${escapeHtml(certId)}">

+            ${renderCertificateOptions(certId, row)}

+          </select>

+          <button type="button" data-host-cert-issue="${escapeHtml(host.fqdn || '')}" data-current-certificate="${escapeHtml(certId)}">Issue</button>

+        </div>

+        <div class="vhost-cert-meta">${links}${validity}</div>

+      </div>`;

+    }

+

+    function hostCertificateRow(host) {

+      return {

+        host_fqdn: host.fqdn || '',

+        aliases: Array.isArray(host.aliases) ? host.aliases : [],

+        derived_aliases: Array.isArray(host.derived_aliases) ? host.derived_aliases : [],

+        certificate_id: host.certificate_id || '',

+        certificate: host.certificate || null,

+      };

+      const host = String(row.host_fqdn || row.fqdn || '').toLowerCase();

+      const aliasNames = []

+        .concat(Array.isArray(row.aliases) ? row.aliases : [])

+        .concat(Array.isArray(row.derived_aliases) ? row.derived_aliases : [])

+        .map(name => String(name || '').toLowerCase())

+        .filter(Boolean);

+      if (vhost) {

+        if (names.has(vhost) || commonName === vhost || id.startsWith(vhost + '-')) return 0;

+        if (host && (names.has(host) || commonName === host || String(cert.host_fqdn || '').toLowerCase() === host || id.startsWith(host + '-'))) return 1;

+        if ((vhostShort && names.has(vhostShort)) || aliasNames.some(name => names.has(name) || commonName === name || id.startsWith(name + '-'))) return 2;

+        return 9;

+      }

+      if (host && (names.has(host) || commonName === host || String(cert.host_fqdn || '').toLowerCase() === host || id.startsWith(host + '-'))) return 0;

+      if (aliasNames.some(name => names.has(name) || commonName === name || id.startsWith(name + '-'))) return 1;

+      if (row && row.vhost) {

+        if (relevance === 0) return `vhost${timestamp ? ' ' + timestamp[1] : ''}${suffix}`;

+        if (relevance === 1) return `host${timestamp ? ' ' + timestamp[1] : ''}${suffix}`;

+        if (relevance === 2) return `alias${timestamp ? ' ' + timestamp[1] : ''}${suffix}`;

+      } else {

+        if (relevance === 0) return `host${timestamp ? ' ' + timestamp[1] : ''}${suffix}`;

+        if (relevance === 1) return `alias${timestamp ? ' ' + timestamp[1] : ''}${suffix}`;

+      }

+    function hostByFqdn(fqdn) {

+      fqdn = String(fqdn || '').toLowerCase();

+      return state.hosts.find(host => String(host.fqdn || '').toLowerCase() === fqdn) || null;

+    }

+

+    function hostUpsertPayload(host, overrides = {}) {

+      const aliases = overrides.aliases !== undefined ? overrides.aliases : (host.aliases || []);

+      const payload = {

+        id: host.id || '',

+        fqdn: host.fqdn || '',

+        status: overrides.status !== undefined ? overrides.status : (host.status || 'active'),

+        ip: overrides.ip !== undefined ? overrides.ip : (host.ip || ''),

+        aliases,

+        roles: Array.isArray(overrides.roles) ? overrides.roles : (host.roles || []),

+        sources: Array.isArray(overrides.sources) ? overrides.sources : (host.sources || []),

+        monitoring: overrides.monitoring !== undefined ? overrides.monitoring : (host.monitoring || 'pending'),

+        notes: overrides.notes !== undefined ? overrides.notes : (host.notes || ''),

+      };

+      if (overrides.vhosts !== undefined) payload.vhosts = overrides.vhosts;

+      return payload;

+    }

+

+    async function addHostAlias(hostFqdn) {

+      if (!await ensureAuthenticated('Autentifica-te inainte de salvare.')) return;

+      const host = hostByFqdn(hostFqdn);

+      if (!host) return;

+      const alias = String(prompt(`Alias nou pentru ${host.fqdn}`, '') || '').trim().toLowerCase();

+      if (!alias) return;

+      if (alias === String(host.fqdn || '').toLowerCase()) {

+        msg('fqdn-ul hostului este deja prezent');

+        return;

+      }

+      const aliases = Array.from(new Set([...(host.aliases || []), alias]));

+      await api('/api/hosts/upsert', {

+        method: 'POST',

+        headers: { 'Content-Type': 'application/json' },

+        body: JSON.stringify(hostUpsertPayload(host, { aliases })),

+      });

+      msg(`alias ${alias} adaugat pe ${host.fqdn}`);

+      await refresh();

+    }

+

+    async function removeHostAlias(hostFqdn, alias) {

+      if (!await ensureAuthenticated('Autentifica-te inainte de stergere.')) return;

+      const host = hostByFqdn(hostFqdn);

+      alias = String(alias || '').trim().toLowerCase();

+      if (!host || !alias) return;

+      if (!confirm(`Sterg aliasul ${alias} de pe ${host.fqdn}?`)) return;

+      const aliases = (host.aliases || []).filter(name => String(name || '').toLowerCase() !== alias);

+      await api('/api/hosts/upsert', {

+        method: 'POST',

+        headers: { 'Content-Type': 'application/json' },

+        body: JSON.stringify(hostUpsertPayload(host, { aliases })),

+      });

+      msg(`alias ${alias} sters de pe ${host.fqdn}`);

+      await refresh();

+    }

+

+    async function setHostCertificateFromSelect(select) {

+      if (!await ensureAuthenticated('Autentifica-te inainte de salvare.')) {

+        select.value = select.dataset.currentCertificate || '';

+        return;

+      }

+      const hostFqdn = select.dataset.hostCertSelect || '';

+      const certificateId = select.value || '';

+      const current = select.dataset.currentCertificate || '';

+      if (!hostFqdn || certificateId === current) return;

+      if (!certificateId && current && !confirm(`Sterg asocierea certificatului de pe ${hostFqdn}?`)) {

+        select.value = current;

+        return;

+      }

+      select.disabled = true;

+      try {

+        await api('/api/hosts/certificate', {

+          method: 'POST',

+          headers: { 'Content-Type': 'application/json' },

+          body: JSON.stringify({ host_fqdn: hostFqdn, certificate_id: certificateId }),

+        });

+        msg(certificateId ? `certificatul ${certificateId} asociat cu ${hostFqdn}` : `certificatul scos de pe ${hostFqdn}`);

+        await refresh();

+      } finally {

+        select.disabled = false;

+      }

+    }

+

+    async function issueHostCertificate(hostFqdn, currentCertificateId, button) {

+      if (!await ensureAuthenticated('Autentifica-te inainte de emitere.')) return;

+      if (!hostFqdn) return;

+      if (currentCertificateId && !confirm(`Emitem un certificat nou pentru ${hostFqdn} si inlocuim asocierea curenta?`)) return;

+      if (button) button.disabled = true;

+      try {

+        const result = await api('/api/hosts/issue-certificate', {

+          method: 'POST',

+          headers: { 'Content-Type': 'application/json' },

+          body: JSON.stringify({ host_fqdn: hostFqdn }),

+        });

+        msg(`certificatul ${result.certificate_id || ''} emis pentru ${hostFqdn}`);

+        await refresh();

+      } finally {

+        if (button) button.disabled = false;

+      }

+    }

+

+      activateHostForm(`Edit host ${host.fqdn || host.id || ''}`.trim(), 'edit', id, 'fqdn');

+          activateHostForm(`Edit host ${host.fqdn || host.id || ''}`.trim(), 'edit', host.id || '', 'fqdn', false);