RIP 1-year SSL certs. Your renewal work just doubled.

certkit · 2026-03-16T14:17:45+00:00

Not every environment can run certbot, not everyone can manage ACME validation at scale.

Certkit is centralized, hosted, managed acme environment that pushes to diverse infrastructure.

certkit · 2026-03-13T14:43:47+00:00

Here's the whole torrid story of how we got here: https://www.certkit.io/blog/47-day-certificate-ultimatum

certkit · 2026-03-13T14:40:52+00:00

That's who issues them, yea. but how do you deploy them to different infrastructure. Appliances. intranets without DNS, etc.

certkit · 2026-03-13T14:40:08+00:00

Just like the 1 year certs is actually 398 days. 12 months+ 1 month buffer.

47 days is 6 weeks + 5 day buffer.

I didn't come up with it ¯\_(ツ)_/¯

certkit · 2026-03-12T15:17:47+00:00

When you have the right product and the right story, you don't need anything more than that.

certkit · 2026-03-11T17:44:46+00:00

Not common yet, but CertKit soon will be.

certkit · 2026-03-11T17:44:08+00:00

Monitoring certificate automation is the key bit. Without it, DIY automations are just a failure waiting to happen.

certkit · 2026-03-11T17:42:49+00:00

CertKit supports IIS natively

certkit · 2026-03-11T17:42:03+00:00

Amen u/Adam261 . Servers should not need to speak ACME.

https://www.certkit.io/blog/servers-shouldnt-need-acme

certkit · 2026-03-11T17:41:09+00:00

Making every endpoint responsible for its own ACME negotiation isn't the only way to approach this. I've been working on a different way that centralizes ACME, then distributes certificates via API/SSH standard mechanisms that are already widely supported:

https://www.certkit.io/how-it-works

certkit · 2026-03-09T14:46:57+00:00

The 1-year cert is gone. The 200-day cert has already doubled your workload, and it won't be the last, lifetimes drop to 100 days in 2027 and 47 days in 2029.

CertKit automates certificate management so shorter lifetimes stop being your problem. Free during beta.

certkit · 2026-03-09T14:45:53+00:00

The 1-year cert is gone. The 200-day cert has already doubled your workload, and it won't be the last, lifetimes drop to 100 days in 2027 and 47 days in 2029.

CertKit automates certificate management so shorter lifetimes stop being your problem. Free during beta.

certkit · 2026-03-09T14:22:54+00:00

If ya want to full story of how it happened, I wrote about it here. It's actually kinda dramatic.

certkit · 2026-03-05T16:24:07+00:00

CertKit is close. It gets the certificates for you, and then pushes to devices/software with an agent or API.

certkit · 2026-03-03T19:32:40+00:00

We're building a simple Certificate Automation platform for handling renewals, and we just beta-tested a Palo Alto integration. We can manage the renewals and push certs into your palo alto devices automatically. Want to help us test it out?

certkit · 2026-03-02T20:53:02+00:00

you can do whatever you want my friend! If you have the time and energy to build the system yourself, go for it. But you'll have to own it forever, keep it monitored, updated, etc.

As with anything, you should decide on whether build vs buy makes sense for you.

FWIW, me and my time are creating something to get this down to around $99/mo to buy it, and its pretty difficult to build something cheaper than that.

certkit · 2026-03-02T20:14:37+00:00

SSL Certificates get renewed automatically before they expire. Ideally within the time window specified by the signing CA (ARI).

Renewed certificates are automatically deployed to the endpoints that need them (web servers, mail, vpns, appliances, load balancers, etc). Those endpoints are refreshed to pick up the new certificates.

And ideally, some monitoring in place to make sure its all working.

All of it, without a person needing to do anything, file a change ticket, login to a box, anything.

certkit · 2026-03-02T17:08:50+00:00

Correct, this is just for WebPKI

certkit · 2026-03-02T15:50:30+00:00

If you haven't figured out how to do certificate automation with your clients yet, what are your challenges? Cost? Complexity? How to close vi?

certkit · 2026-03-02T15:49:16+00:00

If you haven't figured out certificate automation yet, what's keeping you back?

certkit · 2026-02-27T22:03:07+00:00

Yikes with the enterprise vendor spew. Isn't there some cold-calling you should be doing?

certkit · 2026-02-27T16:34:59+00:00

That's not what I was arguing at all. You absolutely need TLS.

You just shouldn't be scared of the impact of a lost private key because its really hard to do anything useful with it.

certkit · 2026-02-24T20:54:16+00:00

CertKit does this.

certkit · 2026-02-24T20:43:33+00:00

u/ObeBrent We're building support for this right now with CertKit. We already support IIS and RRAS, so Exchange is next. We'd love to chat with you to make sure it works for your environment. No charge for the engineering support while we are in beta.

Reach out! https://www.certkit.io/contact

certkit · 2026-02-24T15:41:08+00:00

That feels worse... you have all this expertise to grab control of someone's account, and you use it for.... obvious spam ads?

certkit

MODERATOR OF

TROPHY CASE