CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.
Richard Hicks
Consultant and Microsoft MVP
Automation help available
Have you been running a manual yearly task to update your certificates?
Feeling lost with automating it ahead of the 47 day certificate mandate?
We can help.
Certificate audits
We'll scan your domains and find all the certificates you need to automate. You'll know everything that
needs to be done ahead of your next renewal.
Implementation
Full white-glove service. We'll set up your CertKit account, import your existing certificates, configure deployment to your systems, and monitor everything.
Book a meeting
CertKit makes what many companies struggle with much easier to manage while at the same time providing great value compared to the traditional vendors in the space.
Ben Story
Managed Services Director, RedEye Network Solutions
Frequently asked questions
How do you get certificates for my domains?
When you start an account with CertKit, you create a DNS CNAME record for _acme-challenge that points to us.
That gives us the ability to validate certificates for your domain from certificate authorities, without giving us complete access to your DNS.
This is called Delegated DNS Validation.
See how the full system works.
Do I need a DNS API?
No! We think giving systems DNS access is dangerous. One compromised credential and an attacker controls your entire domain.
Instead, you manually point a CNAME record at us for _acme-challenge and we handle the validation responses.
It's a one-time setup, your DNS credentials stay with you, and the worst we could ever do is mess up your certificate challenges.
That's a much smaller blast radius.
Do you support internal/private CAs?
Yes. Bring your own CA, we'll manage the lifecycle.
Import existing certificates, set renewal schedules, deploy everywhere.
Works with any CA that supports ACME.
But with our easy certificate management, you probably don't need to pay for certificates anymore.
You can get free, short-lived certificates from Let's Encrypt. Yes, even in your intranet.
How do I deploy certificates to my infrastructure?
You use the CertKit agent, which can be installed on Windows, Linux, and Docker servers. The agent links a certificate
in CertKit to software running on your infrastructure. You just specify the format and location you want certificates stored,
and the command to refresh the software.
Got vendor appliances? The CertKit agent can push certificates into common platforms like F5, Palo Alto, Citrix, and Cisco.
The agent source is available and extensible for more platforms and software types.
See how issuing, deploying, and verifying all fit together.
What about SOC2 compliance?
We're working on SOC2 compliance. We'll also have a way for you to deploy CertKit into
your own infrastructure.
While CertKit does store your private keys, that's really not so scary anymore. With Perfect Forward Secrecy certificates,
your private keys can't do anything unless we can intercept your traffic. We're not a government, so that's pretty unlikely.
How is this different than certbot?
Certbot is a fantastic Linux tool. And just like most Linux tools, you have to chain it together yourself with custom scripting to make it useful.
You have to manage your scripts, your jobs, and ensure the services restart.
Certbot runs on each server independently. When one fails, you might not know until customers complain.
Got 50 servers? That's 50 different renewal jobs to babysit. 50 different logs to check. 50 different ways for things to break.
CertKit is centralized management with distributed deployment. One place to see all your certificates.
One dashboard showing what's working and what's not. Actual monitoring that tells you about problems before they happen,
not after your site goes down. See the architecture.
How is this different than the management tool from my CA?
Your "premium" Certificate Authority spent the last 20 years fighting against certificate automation in order to
justify selling you expensive certs. Now, they're trying to sell you certificate management tools to keep you locked in.
The secret they don't want you to know is that Let's Encrypt won. More than 60% of certificates are from Let's Encrypt now,
and they are no less secure than anything else. Certificates are free now.
CertKit is straightforward, vendor agnostic, and a lot easier to work with than your old CA.
Can I white-label this to my clients?
Yes, absolutely! We'd love to work with you to customize the UI for you. Get in touch with us.
Who are you? Why are you making this?
That's two questions.
We're the small engineering team behind TrackJS and Request Metrics.
CertKit started as an internal tool for ourselves. Orchestrating SSL certificates has always been a pain point.
Our infrastructure is complicated enough we can't "just use Certbot." We wanted something centralized, monitored, and easy.
Read the full story about why we built CertKit on our blog.
Is this just AI slop?
No. This isn't an AI tool or AI-powered. It's just straightforward SSL certificate management that helps automate
the tedious, manual tasks of renewing certificates.
It's built by real engineers who knew about the problem, talked with customers, and iterated on the right way to solve it.