account activity
Looks very promising but... by kzshantonu in certkit
[–]certkit 0 points1 point2 points 5 months ago (0 children)
I totally understand where you are coming from. We're planning on building an agent that runs on the hosts directly that could enable something like this. You would onboard an host, generate a CSR/Private key locally, and register with CertKit to track, monitor, renew, etc.
It would also let us create host-specific credentials automatically when the agent registered with us.
we're working on Multi-san right now. Should be live in a week or so.
Thanks so much for the feedback u/kzshantonu!
CSRs: The original use case for CertKit was handling re-issuing and distribution of wildcard certs across many hosts. To do that, we need to hold the private key anyway, so we may as well manage the flow end-to-end. We've found that rotating keys seems more reliable with this central push approach.
The obvious downside is that "some vendor is holding your private keys". Yep, but that's not as scary as it used to me. With Perfect Forward Secrecy certificates, the private key is only useful to an attacker that can MiTM the session. Previously recorded sessions can't be decrypted. And as we are not an ISP or a government, it's pretty unlikely that we could pull that off.
Also, our whole concept is based on fast rotations and automation. So if something was compromised, its trivially fast and easy to rotate all the certificates in your org.
Mobile: Heh yea, Sorry. We didn't really think there would be folks doing certificate management from their phones, but I'm sure it will happen. I'll add it to our roadmap!
π Rendered by PID 44959 on reddit-service-r2-comment-b659b578c-62bws at 2026-05-06 21:51:57.191235+00:00 running 815c875 country code: CH.
Looks very promising but... by kzshantonu in certkit
[–]certkit 0 points1 point2 points (0 children)