CertKit - Certificate Management
LightNews LightNews
banner
certkit.io
CertKit - Certificate Management
@certkit.io
9 followers 10 following 17 posts
CertKit SSL Certificate Management automates the discovery, lifecycle, distribution, and monitoring of PKI Certificates.

Learn more at https://www.certkit.io/
Posts Replies Media Videos
certkit.io
"Free certificates? For production?" Yes. Let's Encrypt uses the same encryption as that $500 EV cert. Chrome killed the green bar in 2018. Amazon, Netflix, and Walmart all use DV certs. Your objections are probably institutional habit, not evidence

www.certkit.io/blog/should-...

#PKI #WebSecurity
Should you still pay for SSL certificates?
IT teams keep buying certificates from DigiCert and Sectigo because free feels risky. But the assumptions behind that trust are a decade old. Let's Encrypt now secures 64% of the web, is funded by Goo...
www.certkit.io
January 12, 2026 at 10:11 PM
certkit.io
DNS-01 validation requires changing TXT records on every certificate renewal. With 47-day lifetimes coming, that's going to hurt. DNS-PERSIST-01 fixes it: validate once, get certs forever.

www.certkit.io/blog/dns-per...

#ACME #PKI
DNS-PERSIST-01 validates a domain once to get certificates forever
A new ACME validation standard coming in 2026 lets you authorize a CA once and never touch DNS again for renewals. The security model is defensible, but even its supporters admit the optics are questi...
www.certkit.io
January 5, 2026 at 4:23 PM
certkit.io
Do you still need wildcard certificates?

Wildcard vs SAN assumes certificates are painful to manage. But once you've automated for 47-day lifetimes, issuing 50 certs takes the same effort as one. The question shifts to security, not convenience.

www.certkit.io/blog/do-you-...

#PKI #WebSecurity
Do you still need wildcard certificates?
You've been using wildcard certificates for years because they were simpler. One cert, one renewal, copy it everywhere. But now you're automating anyway. If certificate management is no longer painful...
www.certkit.io
December 22, 2025 at 3:55 PM
certkit.io
CertKit now supports multi-domain certificates. Mix wildcards with specific hostnames on a single cert. Also shipped: actual ACME error messages instead of "something went wrong" and non-sequential IDs to stop enumeration attacks.

www.certkit.io/blog/certkit...

#SSL #PKI
Multi-domain (multi-san) certificates and better error messages
CertKit now supports multi-SAN certificates, letting you cover multiple domains with a single cert. We also improved the certificate creation flow and made error messages actually useful.
www.certkit.io
December 18, 2025 at 3:44 PM
certkit.io
In 2015, only 40% of websites used HTTPS. Today it's 95%. The ACME protocol made that happen by automating certificate issuance. But it didn't solve certificate operations. That's still your problem.

www.certkit.io/blog/how-acm...

#ACME #PKI
How the ACME protocol automates certificate issuance
HTTPS went from 40% to over 90% of web traffic in a decade and the ACME protocol made that possible. But ACME solved certificate issuance, not certificate operations. Getting a cert is easy now. Getti...
www.certkit.io
December 15, 2025 at 4:54 PM
certkit.io
Just got our last certificate renewal email ever. All our products are now fully automated with CertKit. No more $144/year wildcard certs. No more renewal reminders. No more "your site will be vulnerable" scare tactics.

Dogfooding feels so good.

#SSL #PKI
December 10, 2025 at 5:39 PM
certkit.io
The NSA recorded encrypted traffic for years, betting they'd eventually steal your private keys.

With RSA key exchange, that worked.

PFS broke their playbook. If you're still on TLS 1.2 without ECDHE, your traffic from 2019 might get decrypted tomorrow.

www.certkit.io/blog/perfect...

#TLS #PKI
Perfect Forward Secrecy Made Your Private Keys Boring
We used to treat private keys like plutonium because losing one meant every encrypted conversation ever was compromised. Perfect Forward Secrecy fixed that. Now each connection gets temporary keys tha...
www.certkit.io
December 8, 2025 at 3:38 PM
certkit.io
How do you store 3 billion SSL certificates on a 2.5TB drive and query them in under 100ms? Clickhouse. Final part of our CT search series covers the database tricks that make it work.

www.certkit.io/blog/searchi...

#Clickhouse #PKI
Searching Certificate Transparency Logs (Part 3)
In this post we'll build a Clickhouse database schema to store billions of Certificate Transparency Log entries.
www.certkit.io
December 2, 2025 at 8:54 PM
Reposted by CertKit - Certificate Management
trackjs.com
Most JavaScript errors in your monitoring dashboard are garbage. Browser extensions, ad blockers, crawlers. Here's how I set up TrackJS to ignore the noise and only alert on real bugs that matter.

www.youtube.com/watch?v=HBaZ...

#javascript #errormonitoring
Installing TrackJS on CertKit
YouTube video by TrackJS
www.youtube.com
November 24, 2025 at 4:29 PM
certkit.io
Eric Brandes just dropped Part 2 of our CT logs deep dive. Tiled logs process 100M+ records/day vs RFC 6962's measly millions. Google throttles you to death, Cloudflare's better, Let's Encrypt's tiled logs are best.

www.certkit.io/blog/searchi...

#PKI #CertificateTransparency
Searching Certificate Transparency Logs (Part 2)
In this post we'll write Golang code to pull Certificate Transparency Log entries and process them at scale.
www.certkit.io
November 19, 2025 at 5:05 PM
certkit.io
Certificate Transparency logs contain billions of certificates but searching them is painful. crt.sh is slow and often down. So we built our own free CT search tool that actually works.

Part 1 of our series: www.certkit.io/blog/searchi...

#CertificateTransparency #PKI
crt.sh | Certificate Search
Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)
crt.sh
November 17, 2025 at 8:43 PM
certkit.io
"Revoke Certificate" - It's theater.

Most revoked certs keep working. Chrome, Firefox, Safari each block different revoked certs. The industry knows it's broken, so they're forcing 47-day expiration instead.

www.certkit.io/blog/certifi...

#PKI #CertificateManagement
Certificate revocation is broken but we pretend it works
SSL Certificate revocation is so broken that browser vendors gave up trying to fix it. Chrome manually curates 24,000 'important' revocations out of 2 million. Firefox uses bloom filters that flag val...
www.certkit.io
November 11, 2025 at 7:49 PM
certkit.io
You know about Certificate Transparency logs, right?

Right?!

community.ops.io/certkit/how-...
How to Audit Your Domain's Certificate History (And Why You Should Be Terrified)
You probably have no idea how many SSL certificates exist for your domains. Or who has them.
community.ops.io
October 28, 2025 at 7:08 PM
certkit.io
Stripe bought their domain in 2010. The previous owner's SSL certificate was valid until 2011.

For an entire year, someone else had a perfectly legitimate certificate for their payment processing.

This is why we're getting 47-day certificates.

www.certkit.io/blog/bygones...
BygoneSSL and the certificate that wouldn't die
When domains change hands, old certificates don't. Two researchers at DEFCON found 1.5 million domains with valid certs owned by someone else. This is the security research that killed long certificat...
www.certkit.io
October 27, 2025 at 4:39 PM
Reposted by CertKit - Certificate Management
hackernoon.com
Netflix doesn't join standards bodies. They build streaming protocols, not bureaucracy. #ssl
Why Netflix Joined the Certificate Wars (And Why It Matters)
hackernoon.com
October 8, 2025 at 4:08 AM
Reposted by CertKit - Certificate Management
opsmatters.com
Welcome to #CertKit on #OpsMatters! CertKit gives you one dashboard to see every cert, every renewal, every domain—before they expire and ruin your weekend.

#cybersecurity #certificatemanagement #devops https://opsmtrs.com/46V2Oar
CertKit
CertKit gives you one dashboard to see every cert, every renewal, every domain—before they expire and ruin your weekend.
opsmtrs.com
October 19, 2025 at 7:29 PM
certkit.io
"Nice website you got there. Shame if it was “Not Secure.” That’ll be $300 a year."

www.certkit.io/blog/47-day-...
The 47-Day Certificate Ultimatum: How Browsers Broke the CA Cartel
For twenty years, Certificate Authorities ran the perfect protection racket. Then SHA-1 got shattered, Apple went rogue, and certificates went from lasting 3 years to 47 days. This is the story of how...
www.certkit.io
October 6, 2025 at 3:33 PM
certkit.io
It started as 47 beautiful lines of bash. Now it's a distributed certificate system built on thousands of command line incantations nobody understands, running on every server, and some of the printers.

www.certkit.io/blog/why-you...

#devsecops #ssl #certificates
You Built Your Own Certificate Management System - It's Already Broken
It started as 47 beautiful lines of bash. Now it's a distributed certificate system built on thousands of command line incantations nobody understands, running on every server and some of the printers...
www.certkit.io
September 19, 2025 at 9:34 PM
Reposted by CertKit - Certificate Management
toddhgardner.com
I had a fantastic time chatting with @richcampbell.bsky.social about Certificate management (specifically how much it sucks) and how we're trying to make it better at @certkit.io.

Do you have strong feels about certificates? I'd love to chat with you about it.
September 17, 2025 at 7:05 PM
certkit.io
Apple wants #SSL certificates to last only 47 days.

Remember when they lasted 3 years? Then 2? Then 1? Now we're speed-running toward daily renewals.

Your bash script from 2019 isn't ready for this

certkit.io/blog/why-we-built-certkit
CertKit SSL Certificate Management
CertKit SSL Certificate Management automates the discovery, lifecycle, distribution, and monitoring of PKI Certificates.
certkit.io
September 3, 2025 at 8:07 PM
certkit.io
Hello World!
September 3, 2025 at 7:53 PM