KeyChest.net - a monitoring tool totally about keys and certificates

https://keychest.net

It’s in beta and we still need to shape it to give you most value free of charge.

The list of features will be quickly evolving over the next month or so. Currently, we show a 12 months’ plan, short-term 28 days list of task, info from direct connections to servers, as well as CT logs, some basic stats/information.

We have just now (10 July, 18 pm GMT) published a big upgrade of KeyChest. Two major new features improve automation and quick enrollment:

  1. Bulk import of domains/servers - copy&paste of up to 100 servers; and
  2. “Active Domains”, where KeyChest automatically registers new servers in a given domain. If you switch on the Watch Now feature, new servers will be automatically included in your Dashboard.
  3. TLS handshake scanner now also supports servers with IPv6 only!

Note: we have temporarily limited the number of servers you can monitor to 4,000 to keep the service running.

https://vimeo.com/228584972

2 Likes

Just a thought - would anyone be interested in an API for automation?

1 Like

Just reached 200 registered users. Thank you all!

5 Likes

Very nice and clean design. It would be nice to also have an option to check for domain expiery and all this in the same cool design. Thanks for nice tool!

Thanks!

This feature is coming soon - probably next week. If there are certificates expiring within 28 days (or if there’s a problem with a server), KeyChest will send an email once a week with an overview of all certificates that need attention.

The next upgrade (tomorrow) will include automatic discovery of servers within a given domain.

KeyChest will send an email once a week with an overview of all certificates that need attention.

That’s exactly how our scripts work now but having a nice GUI is nice so keep good work!

1 Like

I like it, it’s not over complicated just as simple as it should (for now at least). The thing I miss that might controdict the simple part is “user groups”. In my organisation we are at least 20-30 people handeling certificates on multiple regions. however we’d like to centralize the “monitoring” and our certificate inventory.

It would be nice to be able to create a “user group” or an organisation that you can invite users to and every one has access to the same set of data.

To the next question, is it able document the IP-address which this application communicates from? We have a few locked down services using a IP-“white list”.

Regards,
Erik

Hi, and thank you very much!

Well, this kind of user group management goes a wee bit beyond what we are able to offer as a free cloud service. But we had many requests like this since the launch a week ago and will offer “enterprise” version soon - cloud as well as on-premise. Send me a message here, or email us: (support at enigmabridge.com) if you’re interested in that.

1 Like

@DanCvrcek do you have any plans to open source any of this?

Thanks for the note!

At the moment, we are quite amazed by the positive response - number of users, feedback. We will definitely keep keepchest.net free for the community with some new exciting features coming. We need to discuss whether we can build a business model for it - enterprise features / on-premise / … . Open-source option in some form is on the table but we need a bit of time to decide.

Sounds good. Thanks for all your work!

1 Like

That would be awesome. Makes it easy to pull subdomains/servers from places like CloudFlare.

Nice tool.
I’m in :slight_smile:

1 Like

Added a cool automation to https://keychest.net - “Active Domains”. You enter your domain name, e.g. letsencrypt.com, and it will automatically find all servers that exist and start regularly searching for new servers with certificates.

This service is awesome, thank you for creating it!
One question, some of my domains show a DNS error yet I can’t find a way to get any details on what the error was. All certs were successfully verified so DNS lookup must have worked.

DNS error should show when we can’t resolve the server name. What may have happened was an IPv6 error. We have enabled IPv6 on KeyChest servers and didn’t get round proper resolution that would check both - IPv6 and IPv4 - yet. I hope the next version will show more details.

But we also may have a bug in converting error codes into screen messages. Can you please drop me a message with a domain in question? I’d get back to you asap.

Thanks, we’re glad you like it! Tell your friends :slight_smile:

We have now reached 8,000 monitoring targets, i.e., KeyChest now monitors 8,000+ servers.

We have optimized the backend and database, doubled CPU cores (again), and made some small improvements. We have now also agreed how to differentiate from and enterprise versions:

  • on premise instances
  • user/role management
  • server/target subsets - for separate views of certificates relevant to different user roles/business units
  • independent scanning agents

Other than that, you get exactly the same information about your servers, and certificates, easiness of adding new servers and self-discovery of new ones, etc.

1 Like

How are this going with this project?

A break due to DEFCON/BlackHat presentations. But we stabilized the performance and reliability. We have a couple of large customers with 3,000+ servers monitored - great for ironing out UI. Overall, KeyChest now monitors 15,000 servers and analyses 85,000 certificates for over 600 users.

The latest update was on Thursday and we expect weekly updates for a month now or so. Interestingly, with active domains, the problem is not to add servers, but to remove them :slight_smile:

The current priority is a couple of enterprise features - user/role management for teams, and IP-based scanning.

The free version will start showing results for all detected IP addresses and allow entry of custom IP address for servers behind CDN.

oh yeah - a 49 second video of what it looks like using KeyChest is at Vimeo.

Today, we have complete another upgrade at https://keychest.net . This one is not so visible from user interface but we completed weekly status emailing facility. Also:

  1. It now works on IE10 and 11;
  2. supports work with large hundreds/thousands of certificates - bulk actions, paging back and forward by 5 pages, …
  3. a background video at KeyChest Registration with video of inside - so you can see what it looks like inside, before you “give us” your email address

Next update again in a week’s time or so.

1 Like