100% HTTPS uptime with KeyChest

One place for your TLS/HTTPS certificates

We have created a few stories with information about using, managing, and auditing your certificates. 

Certificate monitoring KeyChest - world at hand

KeyChest spot check

Learn more about what our spot check is for and how to use it.

Certificate monitoring KeyChest - secure gateway

Let’s Encrypt in numbers

We have compiled all the information we could find so you can decide if Let’s Encrypt certificates are for you.

Certificate monitoring KeyChest lock

Understand spot check results

A detailed explanation of the results of our KeyChest spot checks.

                    monitoring KeyChest - Letsencrypt uptime

Let's Encrypt Uptime Analysis

We have analyzed status logs of Let's Encrypt production systems from January 2016 till September 2017 to understand the reliability of Let's Encrypt issuance and validation services.

Certificate monitoring KeyChest - flawed key generation in Infineon security chips

ROCA bug - quantum effects

Masaryk University has discovered a serious fault in RSA key generation inside Infineon security chips, which are used by tens of millions of devices and thousands of companies.

Welcome to KeyChest certificate monitoring

KeyChest of Enigma Bridge is a certificate expiry monitoring service. It uses internet databases and checks configuration of your servers. KeyChest dashboard gives you all the information you need for operational teams, as well as performance charts (KPIs).

KeyChest can enroll all your servers and domain names within minutes. It will also continuously discover new certificates within domain names you set as "Active Domain". It is how we believe monitoring should work - automatically.

Note: This free service running KeyChest Professional only imposes "fair-use" limits so you can use it to monitor even thousands of your certificates. It will check status HTTPS servers, but also web applications using the TLS protocol.

Spot check

just paste your domain, no registration

  • expiration date/validity of a certificate on the server
  • HTTPS/TLS downtime in the last 2 years
  • certificate chain completeness
  • certificate issuer
  • correct name in the certificate
  • SSL/TLS version - it should be TLS version 1.2
  • HTTP Strict Transport Security (HSTS) flag from web servers
  • time gaps in certificates over the last 2 years
  • certificate neighbors - other domain names in the server’s certificate


register with email or social account

  • massive options for enrolment - single servers, bulk enrolment, fully automated enrolment of subdomain servers
  • plan for next 28 days
  • monthly certificate renewal estimates for next 12 months
  • incidents - DNS errors, servers without a valid certificate, incomplete trust chain, TLS availability, incorrect certificate name
  • certificate inventory over the last 12 months
  • several certificate statistics (issuers, domains per certificate, types of certificates)
  • weekly emails with important indicators and tasks for next 28 days

Our vision

Our main goal with KeyChest is to encourage the use of HTTPS by improving the management experience. The single most important downside of using certificates and HTTPS is that websites and web services become unavailable once their certificates expire. The growing number of people using Let's Encrypt certificates with just 3 months' validity makes the problem ever more visible.

There is no point in discussing the security if your online business or service is not running.

While KeyChest doesn't solve (yet) the problem of certificate renewal, it helps its users to plan related operational tasks (certificate renewal, deployment, or application restarts). It also gives you piece of mind that you didn't forget any of your services by providing a dashboard with all the information in one place.

We are now also working on the KeyChest Enterprise for use within large organizations, or where there is a team managing certificates. This version is going to be available as managed service instances hosted either in a public cloud, or within clients' networks. A natural progression is to start actively managing certificates from dedicated instances. We have already built our cloud encryption service with secure hardware to manage keys and our current task is to extend the capabilities to support different types of clients and environments.

Private instances and enterprise option

We want to help the community to use HTTPS so that the enhanced security also improves the quality of your business and our internet experience. Our free service at KeyChest.net uses KeyChest Professional and our aim is to keep it free.

Our business model is built around KeyChest Enterprise and dedicated instances of KeyChest Professional. They can be hosted in Amazon cloud, on your internal server(s), or elsewhere (needs prior agreement).

KeyChest Enterprise adds features useful for teams, and large companies:

  • API - essential API will be available in Professional version - see the roadmap.

  • Integration.

  • User/role management.

  • Enterprise networks scanning.

  • Governance.

We have a simple pricing structure based on the number of users and independent scanners only.

  • KeyChest Professional - $1,000/year or $100/month

  • KeyChest Enterprise (with 2 users) - $2,000/year or $200/month, with each additional scanner at $100/month and user at $40/month

If you have a question, please get in touch with our support.

Here’s how we compare

The following table compares features of KeyChest Professional with Letsmonitor.org and certificatemonitor.org.





Primary focus

certificate expiry
HTTPS/TLS uptime and security


one server at a time
up to 20 at a time
bulk servers, whole domains (Active Domains)


rule-per-server views
none, only emails
all-in-one view




443 or user-defined
443 or user-defined


CT logs (certificate transparency), and servers


every other day
4-12 hours (varies per test type)


once before expiration
up to 9 reminders
weekly - inventory and planner for all certs


150+ stations
centrally, 1 instance
centrally, 1 instance

Security tests

  • certs expiry on selected servers
certificate expiry only
deployed, CT logs, cross-checking
  • expiry of deployed certs
  • all issued certs
  • difference between issued and effective certs

Road map

  • Dashboard launched - 27 Jun 2017
  • Bulk import and auto discovery of sub-domains - 10 July 2017
  • Strategy for enterprise version published - 14 July 2017
  • Independent scanners (KeyChest Enterprise) - 7 August 2017
  • Dashboard update according to feedback - 10 August 2017
  • IP address-based scanning (KeyChest Enterprise) - mid-October 2017
  • Detailed scanning results for each IP address - early-October 2017
  • ROCA vulnerability testing - 16 October 2017
  • Essential RESTful API - 30 October 2017
  • Integration with Slack - ?? November 2017
  • Ansible integration for certificate renewal - ?? November 2017
  • User/roles (KeyChest Enterprise) - ?? November 2017
You can now support this free service so we can scale it up and further relax fair-use restrictions. Donate

Feel free to email us at keychest@enigmabridge.com, if you have in mind particular details or a feature you’d like to see.

We are Radical Prime Limited, 152-160 City Road London EC1V 2NX, United Kingdom and we read support@radicalprime.com
Terms of Service | Privacy Policy | KeyChest Professional (v0.1.17-3-g98a85a1-dirty)

Certificate monitoring KeyChest logo