CertKit Blog

CertKit blog covers SSL certificate automation, TLS management failures, and the politics behind 47-day certificates. For admins and engineers tired of renewal hell.

Perfect Forward Secrecy Made Your Private Keys Boring

December 2025 • Todd H. Gardner
We used to treat private keys like plutonium because losing one meant every encrypted conversation ever was compromised. Perfect Forward Secrecy fixed that. Now each connection gets temporary keys that vanish after use, so stolen certificates can’t decrypt old traffic. It makes private keys safe to touch.

Read more >>
Searching Certificate Transparency Logs (Part 3)

November 2025 • Jordan Griffin
In this post we’ll build a Clickhouse database schema to store billions of Certificate Transparency Log entries.

Read more >>
Searching Certificate Transparency Logs (Part 2)

November 2025 • Eric Brandes
In this post we’ll write Golang code to pull Certificate Transparency Log entries and process them at scale.

Read more >>
Searching Certificate Transparency Logs (Part 1)

November 2025 • Eric Brandes
Searching Certificate Transparency logs lets you uncover every SSL/TLS certificate ever issued for your domain. You can detect mis-issuance, unauthorized changes, or shadow infrastructure before it becomes a problem. It’s a good way to monitor your digital identity and maintain trust in your organization’s security posture.

Read more >>
Certificate revocation is broken but we pretend it works

November 2025 • Todd H. Gardner
SSL Certificate revocation is so broken that browser vendors gave up trying to fix it. Chrome manually curates 24,000 ‘important’ revocations out of 2 million. Firefox uses bloom filters that flag valid certs as revoked. Safari does something nobody can document. The industry’s solution? Pretend 47-day certificates solve the problem.

Read more >>
BygoneSSL and the certificate that wouldn't die

October 2025 • Todd H. Gardner
When domains change hands, old certificates don’t. Two researchers at DEFCON found 1.5 million domains with valid certs owned by someone else. This is the security research that killed long certificates. And why 47-day certificates aren’t just browser bureaucracy. They’re fixing a problem we ignored for 20 years.

Read more >>
The 47-Day Certificate Ultimatum: How Browsers Broke the CA Cartel

October 2025 • Todd H. Gardner
- Certificate Management
- WebPKI
For twenty years, Certificate Authorities ran the perfect protection racket. Then SHA-1 got shattered, Apple went rogue, and certificates went from lasting 3 years to 47 days. This is the story of how browsers broke the CA cartel, and why your manual certificate process is about to become your biggest problem.

Read more >>
You Built Your Own Certificate Management System - It's Already Broken

September 2025 • Todd H. Gardner
- Certificate Management
It started as 47 beautiful lines of bash. Now it’s a distributed certificate system built on thousands of command line incantations nobody understands, running on every server and some of the printers. If someone looks at it the wrong way, a certificate expires.

Read more >>
Why We Built CertKit

September 2025 • Todd H. Gardner
- Product
- Certificate Management
SSL certificates have always been a pain. Now Apple wants us to renew them every 47 days. We watched a DevOps team waste six hours debugging CertBot, tried every tool from Cert Manager to DigiCert, then said screw it. We built CertKit - certificate management for people with better things to do.

Read more >>