Certificate distribution has always been the messy part. Custom scripts, shared drives, passwords in plaintext somewhere.
We shipped deployment scripting with a template library for F5, Palo Alto, Azure, Exchange, and more. Variables encrypted, never on disk.
Todd's Tenth Rule: any sufficiently complicated SSL certificate script contains a bad implementation of half a certificate lifecycle manager.
Named the pattern. Here's how it happens.
https://www.certkit.io/blog/todds-tenth-rule-certificate-automation
New in CertKit: copy and link agent configs across your fleet instead of configuring each server individually. Also added search and grouping for monitored domains, plus our first GDPR Data Processing Agreement.
https://www.certkit.io/blog/shared-configs-and-monitor-search
CertKit 1.9: push agent updates from the dashboard, no more logging into every server. Plus Google Trust Store as a second ACME issuer alongside Let's Encrypt.
CertKit is out of beta.
600 signups. Real production deployments. A Keystore for keeping private keys on-prem. RDP and RRAS support for Windows shops.
Now there's real pricing — and 40% off forever if you get in before May 31st.
CertKit Agent 1.8: Windows Certificate Store, Java Keystore, and RDP auto-detection.
We also shipped a retro MS-DOS confirmation dialog on April Fools Day. It is fully keyboard-compatible.
https://www.certkit.io/blog/agent-1.8 #CertificateManagement #PKI
Some organizations have a hard requirement: private keys cannot leave the network perimeter. Third-party cert management has always meant violating that policy.
The CertKit Local Keystore is the fix. Keys stay on your infrastructure. Full automation still works.
www.certkit.io/blog/certkit-keystore
We found a valid DigiCert certificate on a domain we just purchased, issued to someone we've never met. Getting it revoked took 6 emails. 72 hours after confirmed revocation, every browser still trusts it.
We wrote about BygoneSSL and the 1.5 million domains with certificates owned by someone else. Then we bought certkit.dev and found one on our own domain. A DigiCert certificate, still valid for 98 days, issued to whoever owned this domain before us. Here's what we found, what we tried to do about it, and what happened when we tried to revoke it.
You can automate issuance and still ship outages.
Certificate lifecycle is a loop:
issue → deploy → verify.
Most teams stop at “renewal succeeded” and skip the only part users care about, what the endpoint is actually serving.
https://www.certkit.io/blog/issuance-automation-vs-certificate-automation
#ACME #CertificateManagement
Most teams “automate certificates” by installing an ACME client and calling it a day. Then they still ship an outage because the hard parts were never automated: knowing what exists, keeping validation safe, and verifying what’s actually being served.
Let's Encrypt is moving to 45-day certificates by February 2028, a year before the industry mandate. Everyone focuses on the certificate lifetime, but the real disruption is authorization reuse dropping from 30 days to 7 hours.
That means nearly every cert request requires fresh validation. Batch operations across a day? Broken. Hardcoded 60-day renewal intervals? Expired certificates.
CertKit
