| Website | https://www.certkit.io/ |
Some organizations have a hard requirement: private keys cannot leave the network perimeter. Third-party cert management has always meant violating that policy.
The CertKit Local Keystore is the fix. Keys stay on your infrastructure. Full automation still works.
www.certkit.io/blog/certkit-keystore
A 2024 PKI survey found organizations averaged 3 certificate outages over 24 months. In almost every case, the certificate renewed fine.
Distribution is where it fell apart.
https://www.certkit.io/blog/certificate-distribution-is-the-last-mile #PKI #infosec
Certbot solved certificate issuance. It's great at that. The hard part is everything that happens after: getting the certificate file to every server that needs it, in the right format, with the right permissions, and confirming each one is actually serving it. Nobody handed you a solution for that.
Mass revocation gives you 24 hours and thousands of certs to replace. ARI (RFC 9773) automates it, but only if your ACME client is always running.
Certbot uses a cron job. acme.sh has no ARI support.
https://www.certkit.io/blog/ari-solves-mass-certificate-revocation
When a CA has to revoke hundreds of thousands of certificates on a short deadline, email notifications aren't enough. ARI is the protocol that lets the CA tell your client directly: renew now. Here's how it works, and why most ACME clients can't actually respond in time.
CertKit now supports ACME ARI and 6-day certificates.
ARI means the CA tells us when to renew. We check it multiple times a day. Your next mass revocation event? Just another boring Tuesday.
Nothing to configure.
https://www.certkit.io/blog/acme-ari-and-6-day-certificates #PKI #infosec
CertKit now polls Let's Encrypt multiple times a day to check when each certificate should renew. That means mass revocations happen automatically, without you doing anything. We also added support for 6-day certificates for environments where 90 days isn't short enough.
Your cert renewed. The old one is still serving.
LinkedIn renewed 10 days before expiry. It never deployed.
Most automation catches "forgot to renew." Nobody verifies the new cert is what the server is actually sending.
https://www.certkit.io/blog/how-to-verify-certificate-renewal #PKI #TLS
Certbot ran. The logs show success. Exit code 0. LinkedIn found out the hard way that renewed and deployed are not the same thing. The verify step is the part of certificate automation nobody builds until after the outage.
Certificate management has always been a one-person job. CertKit now supports team access: role-based permissions, SAML SSO, MFA, and a weekly digest to keep the whole org in the loop.
March 15 is last call on 398-day certificates. After that, 200-day max, 100 in 2027, 47 in 2029.
Renew now and you buy yourself time to automate on your terms. Wait, and the CA/B Forum sets your schedule for you.
https://www.certkit.io/blog/last-call-on-398-day-certificates #PKI #WebPKI
CertKit Agent 1.6: RRAS support, deploy windows, and agent locking.
Shorter lifetimes mean certificate automation has to act like real deployments: issue, deploy, verify. Deploy windows keep disruptions inside maintenance windows, and agent locking freezes commands so UI changes can’t be weaponized.
The CertKit Agent now supports Microsoft RRAS for VPN certificate management. We also added deploy windows so you can control when certificate updates happen, and agent locking to protect your infrastructure even if CertKit itself were ever compromised.
22,000+ incidents in the Verizon DBIR. Man-in-the-middle? Less than 4%, mostly phishing proxies. Not TLS interception.
Forward Secrecy killed "record now, decrypt later." So what actually compromises your connections?
A stolen TLS private key sounds catastrophic. But thanks to forward secrecy, it can't decrypt recorded traffic. The only thing left is server impersonation, and that requires network position that ranges from "be in the same room" to "be a nation-state." We looked at the data on how often this actually happens.
Curious how CertKit works? I made a page for that.
CertKit automates your entire certificate lifecycle. Issue certificates via ACME, deploy them with the CertKit Agent, and verify everything with real TLS checks. No open ports, no ACME on your servers, no DNS changes.
