KeyChest of Enigma Bridge is the tool you need to stay on top of all your certificates and
your boss, if you have any.
You can use KeyChest to plan your renewals, get your weekly inventory summary and present
KPIs (key performance indicators) to your boss or your team.
We don’t mind if
you use KeyChest
for your web servers, email servers, web services, or to keep your infrastructure running.
We treat all certificates equal, whether you paid $500 for each, got them free from Let's
created them yourself.
When you create an account, you can quickly populate your dashboard
using domain names with wildcards to search for server and print the first set of KPIs
expiration date / validity of a certificate on the server
certificate chain completeness
correct name in the certificate
SSL/TLS version - it should be TLS version 1.2
HTTP Strict Transport Security (HSTS) flag from web servers
time gaps in certificates over the last 2 years
certificate neighbors - other domain names in the server’s certificate
Dashboard (subject to change)
plan for next 28 days
monthly certificate renewal estimates for next 12 months
incidents - servers without a valid certificate
certificate inventory over the last 12 months
several certificate statistics (issuers, domains per certificate, legacy
weekly emails with important indicators and tasks for next 28 days
Road map milestones
Dashboard launched - 27 Jun 2017
Bulk import and auto discovery of sub-domains - 10 July 2017
Strategy for enterprise version published - 14 July 2017
RESTful API, integrations - ?? August 2017
Dashboard update according to feedback - ?? August 2017
Enterprise version - ?? September 2017
Letsencrypt users seem to like letsmonitor.org - here’s how we compare
The following table compares features of KeyChest with Letsmonitor.org.
Adding new items
one server at a time
domains (with wildcards)
CT logs (certificate transparency), and servers (optional)
weekly and on demand
certs - once before expiration
weekly - inventory and planner for all certs
centrally, 1+ instances, additional instances for availability
certs expiry on selected servers
deployed, CT logs, cross-checking
expiry of deployed certs
all issued certs
difference between issued and effective certs
Will we ever charge you for this service?
Our plan is to keep this service free, including evolutionary features. We have some
thoughts about subscriptions, but these will be only for substantial extensions of
KeyChest, and customization of this service for on-premise monitoring of your
Enterprise version will evolve around features, which make sense for large
on-premise instances, user/role management,
monitoring "sub-spaces", independent scanning agents, and security policies for
Spot check is a powerful tool for quick assessment of the SSL/TLS configuration of your servers.
It resolves the DNS name you provide and runs a series of tests against that IP address -
no automatic redirect, but it shows a redirect, if detected, so you can quickly run another
check against the detected server.
The list of spot check tests:
certificate expiration - how many days till the certificate expires;
downtime - downtime during the last 2 years; CT logs data amended with server checks if this data is available;
trust chain - whether the server provides a complete chain of certificates needed
certificate issuer - it shows the name of the certificate issuer (if set);
list of neighbors - the list of all names in the certificate;
hostname match - whether the name(s) in the certificate contain the server's name;
SSL detection - if your server uses insecure version SSL2 or SSL3, it will be flagged; and
HSTS - if the HSTS (HTTP Strict Server Security) is enabled.