|
By Todd H. Gardner
I’m an old engineer at heart. Many of my ideals were formed by Joel’s Things You Should Never Do, Fred’s No Silver Bullet, and Brian’s Big Ball of Mud. One of my favorites was Greenspun’s Tenth Rule: The joke isn’t really about programming languages. It’s about a pattern: certain problems have a shape, and no matter how you approach them, you end up building the same solution, in the same order, until you arrive at the same messy place.
|
By Todd H. Gardner
A few practical improvements this week, mostly driven by what we’re learning as customers deploy CertKit into larger infrastructures.
|
By Todd H. Gardner
Two big things in this release, a remote-updating CertKit agent Google Trust Store CA issuer support.
|
By Todd H. Gardner
In preparation for launching CertKit last week, I browsed the websites of a lot of related cybersecurity services. I don’t really understand what any of them do, but apparently, “trust” is a thing that can be sold now.
|
By Todd H. Gardner
CertKit is officially out of beta. We started building CertKit a year ago, and since then over 600 people signed up, issued certificates, and deployed to their infrastructure. Several are running it as their production certificate management platform right now. We built a lot during the beta. Some of it we planned: SSO, team management, alerting. Other things, users had to beat into us. The Keystore came from enterprise security requirements to keep private keys in house.
|
By Todd H. Gardner
We release some good stuff this week with the CertKit agent version 1.8 from our roadmap, along with some small usability fixes in the CertKit web application.
|
By Todd H. Gardner
On March 19th, Richard Hicks, one of our customers, emailed us about a certificate that had renewed after only a week. It was a 90-day certificate and he had not initiated the renewal. That’s the kind of thing that sends you straight to the logs. We found the answer right away. The certificate’s ARI renewal window had been shortened dramatically.
|
By Todd H. Gardner
When you use CertKit, your private keys live in CertKit’s database, encrypted at rest. We’ve written about why the actual risk is smaller than it sounds. But some organizations have policies that prohibit storing private keys with any third party, regardless of how they’re protected. That policy isn’t going away. The Local Keystore enables those organizations to use CertKit and still keep their keys local.
|
By Todd H. Gardner
Certbot is good software in the classic Linux tradition: it does one thing simply and expects you to chain it together with everything else. One server, one certificate, done. The trouble is that most environments are not simple. And the moment yours isn’t, you discover that renewing a certificate and getting it deployed are two different problems, and deployment is your problem.
|
By Todd H. Gardner
In July 2024, DigiCert discovered they’d been issuing certificates with improper domain validation for five years. They gave customers 24 hours to replace 83,000 certificates. CISA issued an emergency alert. Critical infrastructure operators couldn’t meet the deadline. Some customers sued. That’s what mass revocation looks like in practice. The CA finds a compliance problem, the clock starts, and everyone scrambles. ACME Renewal Information (ARI) is the fix.
- April 2026 (6)
- March 2026 (8)
- February 2026 (6)
- January 2026 (6)
- December 2025 (4)
- November 2025 (5)
- October 2025 (2)
- September 2025 (2)
Finally, a GUI for certificate management. No more checking if CertBot actually ran. CertKit gives you one dashboard to see every cert, every renewal, every domain—before they expire and ruin your weekend. Built after the third production outage from a failed ACME challenge that nobody noticed.
Just point a DNS CName at us, and we'll automatically discover, provisioning, validation, renewal, and deployment of certificates. Through an actual UI that can be easily monitored. Supports wildcards, multi-domain, whatever complexity you've accumulated over the years. No DNS API keys to leak. No cron jobs to debug. No Kubernetes required.
Built by the TrackJS team who are known for building simple and reliable tools that Just Work™️.