|
By Todd H. Gardner
The word “certificate” means too many different things. When someone says “the certificate for example.com,” they might mean the public key the CA signed. They might mean the key-pair sitting on the filesystem. They might mean the signature that expires in 47 days. Or they might mean all the things together, that you’ve been renewing for the last 10 years. That last one doesn’t have a name in any PKI standard. And it should.
|
By Todd H. Gardner
Two things shipped this week. One is for the MSPs who manage certificates on behalf of other companies. The other lets you run the shorter 45-day renewal cycle today.
|
By Todd H. Gardner
The pitch for private PKI gets more compelling every year. Public certificate lifetimes are down to 200 days, dropping to 47 by 2029. If you run your own private certificate authority, you make your own rules. Issue certificates for as long as you want, skip the renewal churn. Let’s Encrypt and DigiCert don’t get to tell you what to do. Apple does though.
|
By Todd H. Gardner
Running your own certificate authority sounds like the responsible choice for internal infrastructure. Distribute your root cert to every machine and issue certs internally. In practice, you spend the next six months chasing down every device, contractor laptop, and vendor console that didn’t get root installed. The warnings come back. And when they do, people click through them, because they always have. There’s a simpler path, and most teams don’t know it exists.
|
By Todd H. Gardner
Certificate automation does a lot of work on your behalf. Agents running on your servers, talking to certificate authorities, deploying certs to your infrastructure. At some point someone (your CISO, your auditor, or your own brain at 3am) is going to ask: what exactly happened, and when? Today we’re shipping audit logs. Every action taken in CertKit is now recorded: logins, invitations, certificates added, issued, renewed, revoked, and deployed. Agent registrations, approvals, and config changes.
|
By Todd H. Gardner
Getting a certificate from a CA is a solved problem (ACME). Distributing it to the rest of your infrastructure is not. Your F5 has its own API. Your Palo Alto has a different one. Azure Key Vault is a third thing entirely, and the appliance in the back of the rack only has an SSH interface.
|
By Todd H. Gardner
I’m an old engineer at heart. Many of my ideals were formed by Joel’s Things You Should Never Do, Fred’s No Silver Bullet, and Brian’s Big Ball of Mud. One of my favorites was Greenspun’s Tenth Rule: The joke isn’t really about programming languages. It’s about a pattern: certain problems have a shape, and no matter how you approach them, you end up building the same solution, in the same order, until you arrive at the same messy place.
|
By Todd H. Gardner
A few practical improvements this week, mostly driven by what we’re learning as customers deploy CertKit into larger infrastructures.
|
By Todd H. Gardner
Two big things in this release, a remote-updating CertKit agent Google Trust Store CA issuer support.
|
By Todd H. Gardner
In preparation for launching CertKit last week, I browsed the websites of a lot of related cybersecurity services. I don’t really understand what any of them do, but apparently, “trust” is a thing that can be sold now.
- June 2026 (3)
- May 2026 (3)
- April 2026 (6)
- March 2026 (8)
- February 2026 (6)
- January 2026 (6)
- December 2025 (4)
- November 2025 (4)
- October 2025 (3)
- September 2025 (2)
Finally, a GUI for certificate management. No more checking if CertBot actually ran. CertKit gives you one dashboard to see every cert, every renewal, every domain—before they expire and ruin your weekend. Built after the third production outage from a failed ACME challenge that nobody noticed.
Just point a DNS CName at us, and we'll automatically discover, provisioning, validation, renewal, and deployment of certificates. Through an actual UI that can be easily monitored. Supports wildcards, multi-domain, whatever complexity you've accumulated over the years. No DNS API keys to leak. No cron jobs to debug. No Kubernetes required.
Built by the TrackJS team who are known for building simple and reliable tools that Just Work™️.