KeyChest – FREE plan and track for 100% HTTPS uptime

print
We have been using Letsencrypt certificates for a year now. As it is free, we have been constantly increasing the number of services using it. I personally like the three months validity as it makes renewals a “business as usual” task, rather than incidents. But it doesn’t happen through magic.

DEF CON website down

While a start-up, we began experiencing downtimes. You can say that it’s all our fault and we should just start using a to-do/reminder system. I don’t agree. It happens to many and often. Only last week, the website of DEF CON – the mother of all hacking conferences, denouncing many for bugs, sloppiness, and vulnerabilities – was down and completely thanks to the HSTS flag. Anyone can get it wrong occasionally.

At Enigma Bridge, We tried several strategies and tools. We even started tracking renewals with our support system. However, we made mistakes in synchronizing tasks with the reality. Things got better, but we were nowhere near to be able to say, with certainty, that all our services were running.

We started thinking about a better management tool. We have been working with certificates for a while, so we knew of several online certificate checkers:

  • Facebook’s Certificate Transparency Monitoring – we found that of little value once you get over 20 or so certificates (past and present);
  • Globalsign’s Inventory Tool – free, but a web request raises a ticket, instead of opening an account;
  • Entrust’s SSL Certificate Discovery – allows you to get in touch with a specialist;
  • Digicert’s Discovery Tool – for internal use only;
  • Let’s monitor – it would take a long time to enter all our servers one-by-one, but it checks servers directly, so it solves the problem, as long as you don’t forget new servers; and the last but not the least
  • crt.sh – online checks against Certificate Transparency logs.

There are at least two problems with any of those tools:

  1. It is very inconvenient, and prone to errors, to add new servers and services to monitoring by hand;
  2. Unless you have a dedicated person, you don’t always have time to check certificates regularly to prevent downtimes; and
  3. (Personally, as I’m a security geek, I am always worried someone issues certificates on my behalf for re-direction or other attacks.)

KeyChest Arising

KeyChest is a FREE tool you need to stay on top of all your certificates and to keep your boss happy. Plan your renewals, get your weekly summary and present your certificate performance indicators (KPIs) to your boss.

We all like things that just work once they are set up. Keeping that in mind, we came up with an initial list of requirements:

  • Editable items – as few as possible, but not too few:
    1. list of domain names –  with YES/NO to include subdomains;
    2. date and time for email reports;
    3. entity name for the report title; and
    4. a list of certificates updated when domains change – ports, active/legacy.
  • Viewing/indicators – as simple as possible, but with all the info one needs:
    1. calendar with expiry dates/plan: next 7 days, 28 days, quarter, and year.
  • Weekly emails – a must:
    1. a nice HTML template, maybe attach a PDF version;
    2. data similar to what’s available online; and
    3. (maybe if anyone wants it) automatically updated calendar.
  • Colors:
    1. use colors to make pressing items and incidents easy to see.
  • Make it free for you:
    1. we want this service to be free to support the use of HTTPS/TLS as it makes the internet better.
KeyChest – landing page

These requirements evolved a bit and we added a simple form to check one server/domain, without the need to login or create an account.

This page is available now (although we are still improving the presentation), with an account dashboard coming out on 9th June.

Building It

Development of the back-end took more time than we thought it would. Having said that, we eventually opted for scalable and robust design with asynchronous workers and detailed parsing of certificates and data from servers. All that seems to be in a good shape now.

It really is coming soon. We have just published the first beta version of the landing page for quick server checks. The current version already checks:

  1. whether a certificate is trusted – a name in the certificate is the same as that of the server;
  2. the completeness of the certificate chain – the server should send all the certificates needed for verification; and
  3. the time left till the certificate expires.

And we will add a few more indicators like HSTS and pinning on the server with improvements of the presentation.

KeyChest – high-level results

 

 

 

 

If you register now, you will receive an email as soon as the dashboard comes live.  You can already send to us your suggestions for extensions, changes, and improvements. We will use this for subsequent versions.

If you like it, please spread the word! Register at https://keychest.net and follow this space for updates coming soon.

Published by

Dan Cvrcek

Founder and CEO of Enigma Bridge, engineer, entrepreneur, cryptography SME, security architect, and professor.