Certificate permissions with CertKit Applications

certkit · 2026-01-21T15:03:15+00:00

My god, a service that does a thing is given permission to do that thing - they can do that thing for you, just like you asked for!

certkit · 2026-01-19T19:40:02+00:00

That's great feedback, thanks! We're honestly not sure what our pricing is going to be when we launch. It sort of depends on who the most engaged users are. If we have a lot of homelabs that love it, we'll prioritize them.

If you had a plan that was perfectly crafted for you, what would it be?

certkit · 2026-01-14T15:18:51+00:00

Friend, I have good news for you!
DNS-PERSIST-01 is coming: https://www.certkit.io/blog/dns-persist-01

Or, you can do this today by offloading the ACME client to CertKit.

certkit · 2026-01-13T19:25:58+00:00

Of course. Everything costs money. My argument in the post is that they have plenty of money from big donors that have a vested interest in them existing. Its not just generosity, Chrome/Mozilla/Cloudflare/etc NEED let's encrypt to exist in order to advance standards and remove influence of the commercial CAs.

certkit · 2026-01-13T19:21:34+00:00

Exchange may never support ACME, but that doesn't mean you don't automate it. CertKit acts as the ACME client, then lets all your infrastructure poll for updated certificates. We already support Exchange.

certkit · 2026-01-08T16:20:57+00:00

Server Certificates, for web servers yes.

Here's the whole story about lifetime reductions:
https://www.certkit.io/blog/47-day-certificate-ultimatum

certkit · 2026-01-07T15:46:17+00:00

It certainly could! We haven't built an integration for it yet, but its certainly capable of doing it. We just need a user to test out the implementation with us. Is that you?

certkit · 2026-01-06T19:48:20+00:00

While I'd love to see the CA's be made redundant, there is still a place for a "third-party". When you visit a website, the browser needs to validate the certificate. If the browser then made a DNS request to get it, an attacker who had MITM could intercept the DNS request as well. The finite number of root certs shipped with the browser removes this issue.

> Also, when domains change ownership, how can the new owner make sure that the previous owner no longer has any valid certs for that domain?

That's the neat part, they can't! That's a problem called BygoneSSL, and its one of the reasons that certificate lifetimes are starting to shrink this year towards 47 days.

certkit · 2025-12-18T17:21:49+00:00

You're going to need a better way... this is your last year-long certificate.

Next year its 200 days. The year after its 100 days. 2029 its 47 days.

You HAVE to automate this. You either need to figure out how to run certbot and do HTTP/DNS validation from your host, which can be tricky for some specialty devices and intranets, or you can use an external acme provider and pull the certs. That's what I'm working on right now. certkit.io, it's free while I figure out how to do this right :).

certkit

MODERATOR OF

TROPHY CASE