CertKit - Certificate Management

User management, MFA, SSO, and weekly summaries are live CertKit now supports team accounts with role-based access, multi-factor authentication, SAML single sign-on, and a weekly email digest. Here's what shipped and why it matters.

Certificate management has always been a one-person job. Until something breaks, everyone ignores it. Until that one person leaves.

CertKit now supports team access: roles, SAML SSO, MFA, and a weekly email digest.

www.certkit.io/blog/user-ma... #CertKit #PKI

How CertKit Works - Automated SSL Certificate Management CertKit automates your entire certificate lifecycle. Issue certificates via ACME, deploy them with the CertKit Agent, and verify everything with real TLS checks. No open ports, no ACME on your servers...

How does CertKit work?

www.certkit.io/how-it-works

Last call on 398-day certificates The bar closes March 15. After that, no CA can serve you a 398-day certificate. If you're still managing commercial SSL certs manually, you have two weeks to grab one last round of full-year runway be...

March 15 is the last day to issue a certificate with ~1 year of validity. After that, 200-day max. Then 100 in 2027. Then 47 in 2029.

Renew now and you set your own automation schedule. Wait, and the CA/B Forum sets it for you.

www.certkit.io/blog/last-ca... #PKI #CertificateManagement

CertKit Agent update: RRAS support, deploy windows, and agent locking The CertKit Agent now supports Microsoft RRAS for VPN certificate management. We also added deploy windows so you can control when certificate updates happen, and agent locking to protect your infrast...

CertKit Agent 1.6 is out: Microsoft RRAS support, deploy windows, and agent locking.

Shorter cert lifetimes mean certificate automation has to act like real releases: issue, deploy, verify (and do it on your schedule). www.certkit.io/blog/agent-1.6

#CertificateAutomation #SysAdmin

How likely is a man-in-the-middle attack? A stolen TLS private key sounds catastrophic. But thanks to forward secrecy, it can't decrypt recorded traffic. The only thing left is server impersonation, and that requires network position that ran...

Man-in-the-middle attacks are less than 4%
It's mostly phishing proxies, not TLS interception.

The attack every vendor warns about almost never happens. What actually compromises your connections?

www.certkit.io/blog/man-in-...

How CertKit Works - Automated SSL Certificate Management CertKit automates your entire certificate lifecycle. Issue certificates via ACME, deploy them with the CertKit Agent, and verify everything with real TLS checks. No open ports, no ACME on your servers...

Curious how CertKit works? I made a page for that.

www.certkit.io/how-it-works

BygoneSSL happened to us We wrote about BygoneSSL and the 1.5 million domains with certificates owned by someone else. Then we bought certkit.dev and found one on our own domain. A DigiCert certificate, still valid for 98 day...

We bought certkit<.>dev and found someone else had a valid certificate for it. Tried to get it revoked: 6 emails, 24 hours, a support agent who called me "Tobb."

72 hours later, the cert is STILL trusted by every browser.

www.certkit.io/blog/bygones...

#WebPKI #CertificateManagement

Introducing the CertKit Agent CertKit can now deploy certificates directly to your servers. The CertKit Agent is a lightweight service for Linux, Windows, and Docker that detects your software, writes certificates where they need ...

Most “certificate automation” stops at issuance. That’s how you renew a cert but still serve the old one.

CertKit Agent closes the loop: issue, deploy, verify. Write files to the right paths, set perms/ownership, run the restart.

www.certkit.io/blog/certkit...

#PKI #DevOps

Issuance Automation vs Certificate Automation Most teams “automate certificates” by installing an ACME client and calling it a day. Then they still ship an outage because the hard parts were never automated: knowing what exists, keeping validatio...

You “automated certificates” with Certbot… and still got paged at 2am for an expired cert.

Because you automated issuance, not certificate automation. The hard parts are deploy + verify.

www.certkit.io/blog/issuanc...

#ACME #CertificateManagement

Your servers shouldn't need to know ACME Your nginx doesn't need to understand ACME. Your mail server doesn't need DNS credentials. Your VPN appliance can't even run CertBot. They just need a certificate file. CertKit handles validation cent...

CertBot assumes every server should manage its own certificates. That worked when you had three servers.

But with web farms sharing wildcards, load balancers, mail servers, and VPN appliances, the distributed model collapses.

www.certkit.io/blog/servers...

#ACME #PKI

Let's Encrypt is moving to 45-day certificates before everyone else The CA/Browser Forum set 47-day certificates as the target for 2029. Let's Encrypt decided to implement it a year earlier. Here's their roadmap and what it means for your automation.

Let's Encrypt is moving to 45-day certificates by February 2028, a full year before the industry mandate. Authorization reuse drops to 7 hours. If your renewals aren't truly automated, you'll find out the hard way.

www.certkit.io/blog/45-day-...

#PKI #CertificateManagement

Certificate permissions with CertKit Applications As your certificate count grows, so does the chaos. Applications let you organize certificates into logical groups with their own API keys and access controls. No more sharing credentials across your ...

One API key with access to everything is fine until a contractor leaves or a key leaks. CertKit now supports multiple applications with scoped API keys. Your marketing site automation never sees production infrastructure.

www.certkit.io/blog/applica...

#PKI #CertificateManagement

Delegated DNS validation: proving domain ownership without exposing credentials Every service you onboard wants proof you control your domain. Most want your DNS credentials to automate that proof. There's a better approach: CNAME delegation lets you authorize a service once with...

Every service wants DNS validation for certificates. With 47-day lifetimes coming, that means dozens of systems holding credentials that can modify your entire zone. CNAME delegation is the fix: one record, no credentials exposed.

www.certkit.io/blog/delegat...

#PKI #ACME

What should we build next? We just published our product roadmap. It's interactive. Vote on what matters to you, or tell us what we're missing entirely.

We published the CertKit roadmap. Unlike most company roadmaps, it's not vague promises about AI-powered synergies. It's a list of features with vote buttons. Tell us what you actually need.

www.certkit.io/blog/what-sh...

#CertificateManagement #PKI

Should you still pay for SSL certificates? IT teams keep buying certificates from DigiCert and Sectigo because free feels risky. But the assumptions behind that trust are a decade old. Let's Encrypt now secures 64% of the web, is funded by Goo...

"Free certificates? For production?" Yes. Let's Encrypt uses the same encryption as that $500 EV cert. Chrome killed the green bar in 2018. Amazon, Netflix, and Walmart all use DV certs. Your objections are probably institutional habit, not evidence

www.certkit.io/blog/should-...

#PKI #WebSecurity

DNS-PERSIST-01 validates a domain once to get certificates forever A new ACME validation standard coming in 2026 lets you authorize a CA once and never touch DNS again for renewals. The security model is defensible, but even its supporters admit the optics are questi...

DNS-01 validation requires changing TXT records on every certificate renewal. With 47-day lifetimes coming, that's going to hurt. DNS-PERSIST-01 fixes it: validate once, get certs forever.

www.certkit.io/blog/dns-per...

#ACME #PKI

Do you still need wildcard certificates? You've been using wildcard certificates for years because they were simpler. One cert, one renewal, copy it everywhere. But now you're automating anyway. If certificate management is no longer painful...

Do you still need wildcard certificates?

Wildcard vs SAN assumes certificates are painful to manage. But once you've automated for 47-day lifetimes, issuing 50 certs takes the same effort as one. The question shifts to security, not convenience.

www.certkit.io/blog/do-you-...

#PKI #WebSecurity

Multi-domain (multi-san) certificates and better error messages CertKit now supports multi-SAN certificates, letting you cover multiple domains with a single cert. We also improved the certificate creation flow and made error messages actually useful.

CertKit now supports multi-domain certificates. Mix wildcards with specific hostnames on a single cert. Also shipped: actual ACME error messages instead of "something went wrong" and non-sequential IDs to stop enumeration attacks.

www.certkit.io/blog/certkit...

#SSL #PKI

How the ACME protocol automates certificate issuance HTTPS went from 40% to over 90% of web traffic in a decade and the ACME protocol made that possible. But ACME solved certificate issuance, not certificate operations. Getting a cert is easy now. Getti...

In 2015, only 40% of websites used HTTPS. Today it's 95%. The ACME protocol made that happen by automating certificate issuance. But it didn't solve certificate operations. That's still your problem.

www.certkit.io/blog/how-acm...

#ACME #PKI

Just got our last certificate renewal email ever. All our products are now fully automated with CertKit. No more $144/year wildcard certs. No more renewal reminders. No more "your site will be vulnerable" scare tactics.

Dogfooding feels so good.

#SSL #PKI

Perfect Forward Secrecy Made Your Private Keys Boring We used to treat private keys like plutonium because losing one meant every encrypted conversation ever was compromised. Perfect Forward Secrecy fixed that. Now each connection gets temporary keys tha...

The NSA recorded encrypted traffic for years, betting they'd eventually steal your private keys.

With RSA key exchange, that worked.

PFS broke their playbook. If you're still on TLS 1.2 without ECDHE, your traffic from 2019 might get decrypted tomorrow.

www.certkit.io/blog/perfect...

#TLS #PKI

Searching Certificate Transparency Logs (Part 3) In this post we'll build a Clickhouse database schema to store billions of Certificate Transparency Log entries.

How do you store 3 billion SSL certificates on a 2.5TB drive and query them in under 100ms? Clickhouse. Final part of our CT search series covers the database tricks that make it work.

www.certkit.io/blog/searchi...

#Clickhouse #PKI

Installing TrackJS on CertKit YouTube video by TrackJS

Most JavaScript errors in your monitoring dashboard are garbage. Browser extensions, ad blockers, crawlers. Here's how I set up TrackJS to ignore the noise and only alert on real bugs that matter.

www.youtube.com/watch?v=HBaZ...

#javascript #errormonitoring

Searching Certificate Transparency Logs (Part 2) In this post we'll write Golang code to pull Certificate Transparency Log entries and process them at scale.

Eric Brandes just dropped Part 2 of our CT logs deep dive. Tiled logs process 100M+ records/day vs RFC 6962's measly millions. Google throttles you to death, Cloudflare's better, Let's Encrypt's tiled logs are best.

www.certkit.io/blog/searchi...

#PKI #CertificateTransparency

Certificate Transparency logs contain billions of certificates but searching them is painful. crt.sh is slow and often down. So we built our own free CT search tool that actually works.

Part 1 of our series: www.certkit.io/blog/searchi...

#CertificateTransparency #PKI

Certificate revocation is broken but we pretend it works SSL Certificate revocation is so broken that browser vendors gave up trying to fix it. Chrome manually curates 24,000 'important' revocations out of 2 million. Firefox uses bloom filters that flag val...

"Revoke Certificate" - It's theater.

Most revoked certs keep working. Chrome, Firefox, Safari each block different revoked certs. The industry knows it's broken, so they're forcing 47-day expiration instead.

www.certkit.io/blog/certifi...

#PKI #CertificateManagement

How to Audit Your Domain's Certificate History (And Why You Should Be Terrified) You probably have no idea how many SSL certificates exist for your domains. Or who has them.

You know about Certificate Transparency logs, right?

Right?!

community.ops.io/certkit/how-...

BygoneSSL and the certificate that wouldn't die When domains change hands, old certificates don't. Two researchers at DEFCON found 1.5 million domains with valid certs owned by someone else. This is the security research that killed long certificat...

Stripe bought their domain in 2010. The previous owner's SSL certificate was valid until 2011.

For an entire year, someone else had a perfectly legitimate certificate for their payment processing.

This is why we're getting 47-day certificates.

www.certkit.io/blog/bygones...

Why Netflix Joined the Certificate Wars (And Why It Matters)

Netflix doesn't join standards bodies. They build streaming protocols, not bureaucracy. #ssl

CertKit CertKit gives you one dashboard to see every cert, every renewal, every domain—before they expire and ruin your weekend.

Welcome to #CertKit on #OpsMatters! CertKit gives you one dashboard to see every cert, every renewal, every domain—before they expire and ruin your weekend.

#cybersecurity #certificatemanagement #devops https://opsmtrs.com/46V2Oar