Todd Gardner is the CEO of CertKit, where he channels certificate-induced trauma into building tools that actually work. After watching too many teams waste entire days debugging CertBot failures and witnessing the certificate management “solutions” that cost more than the problems they solve, he decided enough was enough.
Todd writes about the realities of certificate management, the industry politics behind shortened certificate lifespans, and why your homegrown certificate solution is definitely going to break at 3 AM on a holiday weekend. He believes in technical honesty over marketing fluff and thinks the best documentation includes actual error messages you’ll encounter.
When he’s not complaining about 47-day certificates or fixing whatever Let’s Encrypt changed this week, Todd is building CertKit into the certificate management platform he wishes existed ten years ago.
SSL Certificate revocation is so broken that browser vendors gave up trying to fix it. Chrome manually curates 24,000 ‘important’ revocations out of 2 million. Firefox uses bloom filters that flag valid certs as revoked. Safari does something nobody can document. The industry’s solution? Pretend 47-day certificates solve the problem.
When domains change hands, old certificates don’t. Two researchers at DEFCON found 1.5 million domains with valid certs owned by someone else. This is the security research that killed long certificates. And why 47-day certificates aren’t just browser bureaucracy. They’re fixing a problem we ignored for 20 years.
For twenty years, Certificate Authorities ran the perfect protection racket. Then SHA-1 got shattered, Apple went rogue, and certificates went from lasting 3 years to 47 days. This is the story of how browsers broke the CA cartel, and why your manual certificate process is about to become your biggest problem.
It started as 47 beautiful lines of bash. Now it’s a distributed certificate system built on thousands of command line incantations nobody understands, running on every server and some of the printers. If someone looks at it the wrong way, a certificate expires.
SSL certificates have always been a pain. Now Apple wants us to renew them every 47 days. We watched a DevOps team waste six hours debugging CertBot, tried every tool from Cert Manager to DigiCert, then said screw it. We built CertKit - certificate management for people with better things to do.
CertKit