Automate certificate monitoring with free API – KeyChest

Our certificate monitoring KeyChest has an initial RESTful API for remote enrolment of new certificates and for checking certificate expiry. Its design supports automation without any initial security/authorization setup.

Continue reading Automate certificate monitoring with free API – KeyChest

How secure is CloudFlare “flexible SSL” option

One would expect that when you decide to secure your web-server traffic with HTTPS, you do it for the security. Some, however, do it mostly to improve their SEO. CloudFlare flexible SSL is exactly for this.

Continue reading How secure is CloudFlare “flexible SSL” option

Planning TLS certificate renewals – define a process

This text is about creating a process around planning certificate renewals. As part of our KeyChest re-design, we created a sequence of meaningful checks for TLS certificates to get them always renewed before your web services go down.

Continue reading Planning TLS certificate renewals – define a process

KeyChest now runs over 500,000 TLS checks every day

We checked recent statistics of the KeyChest service. While the overall load is gradually increasing, we also increase the number of checks we perform. It’s now over 500,000 a day since March 26. But we should be fine till a major system upgrade coming soon.

Continue reading KeyChest now runs over 500,000 TLS checks every day

Let’s Encrypt uptime is 99.9% — or 98.8% without defects in 2017

As I was collecting reliability data for several PKI systems, I included Let’s Encrypt as it’s by far the biggest PKI system I was aware of. It provides its status data and its history at https://letsencrypt.status.io and here’s my informal analysis of its production systems.

Continue reading Let’s Encrypt uptime is 99.9% — or 98.8% without defects in 2017

Let’s Encrypt certificates with one name on different servers

This is an interesting one. The first impulse is to simply answer NO, you can’t do it, that’s the point of HTTPS. But it’s all about networking and one can do quite some magic with proxies, forwarding, and the SNI extension in TLS protocols.

Continue reading Let’s Encrypt certificates with one name on different servers

Let’s Encrypt in the spotlight

We have compiled all practical information we could find and written it up at Numbers you need to know. It’s a long list of restrictions, rate limits, and other useful information to keep in mind.  Here’s a few selected points that we found interesting. Big thanks to schoen from Certbot/EFF for pointing out numerous inaccuracies.

Continue reading Let’s Encrypt in the spotlight

Guardian, FT, etc. share their internet encryption keys with many

We have all heard about hackers stealing huge user databases with passwords as they are tempting bounties. FT, Guardian and many others create a new kind of reward – their internet encryption keys via CDNs – services speeding up web traffic.

Continue reading Guardian, FT, etc. share their internet encryption keys with many

SSL testing – servers or domains?

We have started testing our SSL certificate spot checks – KeyChest – and realized that we were conceptually different from SSL Labs. We focus on the server rather than the domain name and it makes a difference.

Continue reading SSL testing – servers or domains?

SSL certificates – 7 Free Spot Checks in one go – KeyChest

While implementing features of the certificate planner, we have added a few handy features to the KeyChest spot checker as well. It is now much more than just a tool to check when a website certificate expires.

Continue reading SSL certificates – 7 Free Spot Checks in one go – KeyChest