Abstract
In preparation for launching CertKit last week, I browsed the websites of a lot of related cybersecurity services. I don’t really understand what any of them do, but apparently, “trust” is a thing that can be sold now.
“Enabling trust.” “Building trust at scale.” “Trusted by enterprises worldwide.” “A foundation of trust for your cryptographic infrastructure.” One certificate management vendor’s homepage used some form of “trust” seventeen times.
This is performative trust maximalism: using “trust” so frequently, and so abstractly, that it loses all meaning and instead acts like a magical incantation. If we use trust enough times, the visitor will trust that we can make users trust that the trusted systems are trustworthy of their trust.
Trust.
The aesthetic
It’s not just the words, its the visuals. Every vendor has settled on the same stock photography: a padlock, glowing blue, suspended in front of an imaginary data center in Hackers. Or maybe the lock floats over a map of the world, with glowing connection lines suggesting that this lock is… secure? Global? Trusted?
I guess the images mean security and enterprise and global scale without making any claims that could be verified or refuted. A padlock means security. Blue means technology. A data center means serious infrastructure. Put them together and you have a vibe.
Trust, visualized.
The trouble is that every vendor uses the same images, because every vendor prompted the same AI with the same brief. The images are interchangeable. Pull the logo off one and drop it onto another and nothing changes.
I literally prompted “enterprise security stock photo. square 1:1” for the images in this post.
What would you say you do here?
What do any of these products actually do? Is it a cloud service or do I deploy it? Does it create the certificates, or just sign them? Or store them maybe? Or install them? All I know is that I can trust it.
They use words that feel important like “enterprise PKI orchestration” and “cryptographic trust infrastructure”, but have no substance. They describe a category, not a product. What does it install? Is there an agent? How does it handle a Windows server? What does “deploy” mean, specifically, in your environment?
To learn anything, you have to fill out a form. Name, title, company, company size, annual security budget. Someone will call you (gasp). Two weeks and three discovery calls later, you might get a market-ecture pdf and a quote.
Trust.
They are all doing it, so it must be deliberate. Pricing opacity is not an oversight. As soon as they name a price, they have to justify it, and justification requires specifics. Staying vague in the sales process means every prospect hears a pitch tailored to whatever they said they needed. The obscurity is the product.
The irony is that these are security vendors. The entire premise of what they’re selling is that you should trust them with your infrastructure: your private keys, certificates, TLS endpoints that you depend on. But they won’t tell you what it does or what it costs without a sales rep in the room.
What to do instead
I’m not going to pretend CertKit is immune to this stuff. It’s easy to reach for category language. It sounds authoritative. I want you to trust us. But we’ve tried to be open about why.
Our pricing is on the website. The agent and keystore source code are available to read before you install anything on your infrastructure. Dozens of blog posts here act as a running record of what we’re thinking, building, and working on next. If you want to understand what CertKit actually does, you can read about it at length, in public, before signing up for anything.
If you want to talk to someone, I’d love to hear about your setup. Book a time with me. But if you’d rather just sign up and kick the tires on your own terms, that works too. I won’t call you, I get pre-phonecall anxiety.
Trust, as it turns out, is not something you can package up and sell. It’s what’s left when you’ve been honest about what you do, for long enough that it’s not surprising anymore.
CertKit is certificate lifecycle management for teams who want to know what they’re running.
Comments