Certificate expiry monitoring KeyChest logo

Terms and conditions

KeyChest is a certificate expiry and server monitoring for TLS and HTTPS. Enigma Bridge gives you free access to KeyChest at https://keychest.net. KeyChest provides bulk enrollment, as well as continuous discovery of new subdomains. You can access your data via an online dashboard and regular status updates.

By using this free KeyChest service, you agree to the following terms and conditions:

DATA COLLECTION: This service collects data about your activity as well as certificate and other checks it performs on your behalf. We do not collect any personal or other identifiable data beyond what is necessary for the provision of the described services.

USE OF PERSONAL DATA: The primary personally identifiable information we collect and store is your email address. You may be able to enter additional information to enable particular functions of KeyChest. We will use your personal information to provide KeyChest functions. We may also use your personal information to get in touch with updates relevant to KeyChest and/or the service provider.

SERVICE PROVIDER: This service is provided by Enigma Bridge Ltd, registered in England, UK. Postal address is 20 Bridge Street, CB2 1UF Cambridge, United Kingdom. The electronic contact to the service provider as support@enigmabridge.com .

LIABILITY: You use services provided at https://keychest.net at your own risk. All the services at https://keychest.net are provided on an 'as is' and 'as available' basis. We are not liable for damages, direct or consequential, resulting from any failure to provide service, suspension of service, or termination of service. We do not guaranty the availability of the services. You agree not to hold us responsible for data loss or interruption of service of any kind.

If you want to use KeyChest for your production or critical systems and, send a request to the service provider as it offers subscriptions with well-defined service layer agreements (SLA).

Welcome to KeyChest certificate monitoring

KeyChest of Enigma Bridge is a certificate expiry monitoring service. It uses internet databases and checks configuration of your servers. KeyChest dashboard gives you all the information you need for operational teams, as well as performance charts (KPIs).

KeyChest can enroll all your servers and domain names within minutes. It will also continuously discover new certificates within domain names you set as "Active Domain". It is how we believe monitoring should work - automatically.

Note: This free service running KeyChest Professional only imposes "fair-use" limits so you can use it to monitor even thousands of your certificates. It will check status HTTPS servers, but also web applications using the TLS protocol.

Spot check

just paste your domain, no registration

  • expiration date/validity of a certificate on the server
  • HTTPS/TLS downtime in the last 2 years
  • certificate chain completeness
  • certificate issuer
  • correct name in the certificate
  • SSL/TLS version - it should be TLS version 1.2
  • HTTP Strict Transport Security (HSTS) flag from web servers
  • time gaps in certificates over the last 2 years
  • certificate neighbors - other domain names in the server’s certificate


register with email or social account

  • massive options for enrolment - single servers, bulk enrolment, fully automated enrolment of subdomain servers
  • plan for next 28 days
  • monthly certificate renewal estimates for next 12 months
  • incidents - DNS errors, servers without a valid certificate, incomplete trust chain, TLS availability, incorrect certificate name
  • certificate inventory over the last 12 months
  • several certificate statistics (issuers, domains per certificate, types of certificates)
  • weekly emails with important indicators and tasks for next 28 days

Our vision

Our main goal with KeyChest is to encourage the use of HTTPS by improving the management experience. The single most important downside of using certificates and HTTPS is that websites and web services become unavailable once their certificates expire. The growing number of people using Let's Encrypt certificates with just 3 months' validity makes the problem ever more visible.

There is no point in discussing the security if your online business or service is not running.

While KeyChest doesn't solve (yet) the problem of certificate renewal, it helps its users to plan related operational tasks (certificate renewal, deployment, or application restarts). It also gives you piece of mind that you didn't forget any of your services by providing a dashboard with all the information in one place.

We are now also working on the KeyChest Enterprise for use within large organizations, or where there is a team managing certificates. This version is going to be available as managed service instances hosted either in a public cloud, or within clients' networks. A natural progression is to start actively managing certificates from dedicated instances. We have already built our cloud encryption service with secure hardware to manage keys and our current task is to extend the capabilities to support different types of clients and environments.

Private instances and enterprise option

We want to help the community to use HTTPS so that the enhanced security also improves the quality of your business and our internet experience. Our free service at KeyChest.net uses KeyChest Professional and our aim is to keep it free.

Our business model is built around KeyChest Enterprise and dedicated instances of KeyChest Professional. They can be hosted in Amazon cloud, on your internal server(s), or elsewhere (needs prior agreement).

KeyChest Enterprise adds features useful for teams, and large companies:

  • API - essential API will be available in Professional version - see the roadmap.

  • Integration.

  • User/role management.

  • Enterprise networks scanning.

  • Governance.

We have a simple pricing structure based on the number of users and independent scanners only.

  • KeyChest Professional - $1,000/year or $100/month

  • KeyChest Enterprise (with 2 users) - $2,000/year or $200/month, with each additional scanner at $100/month and user at $40/month

If you have a question, please get in touch with our support.

Here’s how we compare

The following table compares features of KeyChest Professional with Letsmonitor.org and certificatemonitor.org.





Primary focus

certificate expiry
HTTPS/TLS uptime and security


one server at a time
up to 20 at a time
bulk servers, whole domains (Active Domains)


rule-per-server views
none, only emails
all-in-one view




443 or user-defined
443 or user-defined


CT logs (certificate transparency), and servers


every other day
4-12 hours (varies per test type)


once before expiration
up to 9 reminders
weekly - inventory and planner for all certs


150+ stations
centrally, 1 instance
centrally, 1 instance

Security tests

  • certs expiry on selected servers
certificate expiry only
deployed, CT logs, cross-checking
  • expiry of deployed certs
  • all issued certs
  • difference between issued and effective certs

Road map

  • Dashboard launched - 27 Jun 2017
  • Bulk import and auto discovery of sub-domains - 10 July 2017
  • Strategy for enterprise version published - 14 July 2017
  • Independent scanners (KeyChest Enterprise) - 7 August 2017
  • Dashboard update according to feedback - 10 August 2017
  • IP address-based scanning (KeyChest Enterprise) - mid-October 2017
  • Detailed scanning results for each IP address - early-October 2017
  • ROCA vulnerability testing - 16 October 2017
  • Essential RESTful API - 30 October 2017
  • Integration with Slack - ?? November 2017
  • Ansible integration for certificate renewal - ?? November 2017
  • User/roles (KeyChest Enterprise) - ?? November 2017
You can now support this free service so we can scale it up and further relax fair-use restrictions. Donate

Feel free to email us at keychest@enigmabridge.com, if you have in mind particular details or a feature you’d like to see.

We are Radical Prime Limited, 152-160 City Road London EC1V 2NX, United Kingdom and we read support@radicalprime.com
Terms of Service | Privacy Policy | KeyChest Professional (v0.1.17-3-g98a85a1-dirty)

Certificate monitoring KeyChest logo