KeyChest lost some user data - please read a post-mortem and more here.
Certificate monitoring KeyChest logo

Expiry monitoring which discovers your HTTPS certificates

Loading...

Welcome to KeyChest certificate monitoring

KeyChest of Enigma Bridge is a certificate expiry monitoring service. It uses internet databases and checks configuration of your servers. KeyChest dashboard gives you all the information you need for operational teams, as well as performance charts (KPIs).

KeyChest can enroll all your servers and domain names within minutes. It will also continuously discover new certificates within domain names you set as "Active Domain". It is how we believe monitoring should work - automatically.

Note: This free service running KeyChest Professional only imposes "fair-use" limits so you can use it to monitor even thousands of your certificates. It will check status HTTPS servers, but also web applications using the TLS protocol.

Spot check

just paste your domain, no registration

  • expiration date/validity of a certificate on the server
  • HTTPS/TLS downtime in the last 2 years
  • certificate chain completeness
  • certificate issuer
  • correct name in the certificate
  • SSL/TLS version - it should be TLS version 1.2
  • HTTP Strict Transport Security (HSTS) flag from web servers
  • time gaps in certificates over the last 2 years
  • certificate neighbors - other domain names in the server’s certificate

Dashboard

register with email or social account

  • massive options for enrolment - single servers, bulk enrolment, fully automated enrolment of subdomain servers
  • plan for next 28 days
  • monthly certificate renewal estimates for next 12 months
  • incidents - DNS errors, servers without a valid certificate, incomplete trust chain, TLS availability, incorrect certificate name
  • certificate inventory over the last 12 months
  • several certificate statistics (issuers, domains per certificate, types of certificates)
  • weekly emails with important indicators and tasks for next 28 days

Our vision

Our main goal with KeyChest is to encourage the use of HTTPS by improving the management experience. The single most important downside of using certificates and HTTPS is that websites and web services become unavailable once their certificates expire. The growing number of people using Let's Encrypt certificates with just 3 months' validity makes the problem ever more visible.

There is no point in discussing the security if your online business or service is not running.

While KeyChest doesn't solve (yet) the problem of certificate renewal, it helps its users to plan related operational tasks (certificate renewal, deployment, or application restarts). It also gives you piece of mind that you didn't forget any of your services by providing a dashboard with all the information in one place.

We are now also working on the KeyChest Enterprise for use within large organizations, or where there is a team managing certificates. This version is going to be available as managed service instances hosted either in a public cloud, or within clients' networks. A natural progression is to start actively managing certificates from dedicated instances. We have already built our cloud encryption service with secure hardware to manage keys and our current task is to extend the capabilities to support different types of clients and environments.

Private instances and enterprise option

We want to help the community to use HTTPS so that the enhanced security also improves the quality of your business and our internet experience. Our free service at KeyChest.net uses KeyChest Professional and our aim is to keep it free.

Our business model is built around KeyChest Enterprise and dedicated instances of KeyChest Professional. They can be hosted in Amazon cloud, on your internal server(s), or elsewhere (needs prior agreement).

KeyChest Enterprise adds features useful for teams, and large companies:

  • API - essential API will be available in Professional version - see the roadmap.

  • Integration.

  • User/role management.

  • Enterprise networks scanning.

  • Governance.

We have a simple pricing structure based on the number of users and independent scanners only.

  • KeyChest Professional - $1,000/year or $100/month

  • KeyChest Enterprise (with 2 users) - $2,000/year or $200/month, with each additional scanner at $100/month and user at $40/month

If you have a question, please get in touch with our support.

Here’s how we compare

The following table compares features of KeyChest Professional with Letsmonitor.org and certificatemonitor.org.

Feature

letsmonitor.org

certificatemonitor.org

keychest.net

Primary focus

networking
certificate expiry
HTTPS/TLS uptime and security

Enrolment

one server at a time
up to 20 at a time
bulk servers, whole domains (Active Domains)

Views

rule-per-server views
none, only emails
all-in-one view

API

planned
none
yes

Ports

443 or user-defined
443
443 or user-defined

Tests

servers
servers
CT logs (certificate transparency), and servers

Frequency

hourly
every other day
4-12 hours (varies per test type)

Emails

once before expiration
up to 9 reminders
weekly - inventory and planner for all certs

Monitoring

150+ stations
centrally, 1 instance
centrally, 1 instance

Security tests

simple
  • certs expiry on selected servers
certificate expiry only
deployed, CT logs, cross-checking
  • expiry of deployed certs
  • all issued certs
  • difference between issued and effective certs

Road map

  • Dashboard launched - 27 Jun 2017
  • Bulk import and auto discovery of sub-domains - 10 July 2017
  • Strategy for enterprise version published - 14 July 2017
  • Independent scanners (KeyChest Enterprise) - 7 August 2017
  • Dashboard update according to feedback - 10 August 2017
  • IP address-based scanning (KeyChest Enterprise) - mid-October 2017
  • Detailed scanning results for each IP address - early-October 2017
  • ROCA vulnerability testing - 16 October 2017
  • Essential RESTful API - 30 October 2017
  • Integration with Slack - ?? November 2017
  • Ansible integration for certificate renewal - ?? November 2017
  • User/roles (KeyChest Enterprise) - ?? November 2017
You can now support this free service so we can scale it up and further relax fair-use restrictions. Donate

Feel free to email us at keychest@enigmabridge.com, if you have in mind particular details or a feature you’d like to see.

We are Enigma Bridge Ltd, 20 Bridge St, Cambridge, CB2 1UF, United Kingdom and we read keychest@enigmabridge.com
Terms of Service | Privacy Policy

Certificate monitoring KeyChest logo

Spot check is a powerful tool for a quick assessment of the SSL/TLS configuration of your servers.

It resolves the name of a server you provide and runs a series of tests against one of the IP addresses. It does not follow HTTP redirects, but it shows if one is in place so you can follow the link manually. If there are more IP addresses you can see the list and use it to check a particular IP address, if appropriate.

The list of spot check tests:

Possible errors returned by the TLS/HTTPS scanner are:

If you are not sure the results you can see are correct, or have any other question, please let us know at support @ enigmabridge.com or use a support form to get in touch.