Brass key and wooden box

First impressions of KeyChest – A new TLS certificate expiration tracker

On today’s web; admins have to keep track of dozens or more certificates for their various domains and servers. Manually keeping an eye on one or two website certificates and making sure they haven’t expired is tedious work and prone to human error. You’ll eventually realize that you need an automated tool, and KeyChest is hoping to be it.

I reviewed SSLPing, a free website certificate health monitoring service, . After reading this, Dan Cvrcek, CEO of Enigma Bridge, reached out to me to let me know about their new free service called KeyChest.

During an average week I surely run into at least a dozen websites that throw up certificate errors because their domains have expired. It’s a real problem that has become more common with the explosive adoption growth of HTTPS in recent years. Keeping track of certificate expiration is a really important tasks that some websites fail to live up to.

KeyChest isn’t a certificate health monitoring tool like SSLPing yet. KeyChest only keeps track of your certificate expiration and TLS connectivity issues (like an uptime monitor). Unfortunately, it doesn’t notify the user when something goes wrong. You have to login and check the status of your websites on the KeyChest dashboard. I expect that this feature will be added soon, but it seems like a critical omission.

Dan Cvrcek let me know that their long-term plan is to integrate with and source best-practices and certificate health information from the well respected SSLLabs.

KeyChest dashboard overview

KeyChest dashboard overview. Larger image.

The design and information flow in the KeyChest dashboard focus on things that work, with broken servers and certificates shun to the far right hand side of the page. The list of broken servers and certificates is included in the middle of the page (which requires a fair amount of scrolling). Any broken certificates and servers are the most important bits of information and should be at the top of the page instead of hidden far down on the page.

The reports you get are frustratingly vague and don’t the information you’d need to assist you in troubleshooting a problem. E.g. in the below screenshot, the IPv6 address of a domain didn’t respond. However, without knowing what the problem is or even which IP address is causing the problem; you could end up wasting a lot of time that would have been solved by having just a little more information from KeyChest.

KeyChest user interface listing a “TLS checks failed for 1 of 2 IP addresses”

Something is wrong with one of two IP addresses. But which? Larger image.

There are some great things about KeyChest, though. Unlike SSLPing, they support IPv6 for starters. KeyChest also scans every A and AAAA record for a given domain for issues, instead of only one record like SSLPing. This one feature alone makes KeyChest a better option than SSLPing.

They also auto-discver subdomains and certificates by looking up a domain’s Certificate Transparency report. You only need to provide your top level domain, and they’ll find all certificates issues for your domain. This can be useful for monitoring which certificates exist within on a large organization where such things can be hard to keep track of. It can also saves you a lot of time keeping track of which certificates and servers need monitoring.

There are a ton of bugs and KeyChest is definitively not a done product yet. The “Remember me” checkbox on the login page that does exactly nothing (cookies still expire at the end of the session), the link to the settings page simply saying “More to come …” when there is a perfectly functional settings page if you dig around a little. Confusingly, if you collapse the sidebar on the left of the screen, the name changes from “KeyChest” to “KA” (??). There are small things like this everywhere you look.

Conclusions

It’s buggy but it’s showing promise. I can see potential for KeyChest, but I don’t see much value in the service at this time. They offer the service for free for up to 1000 domains/3000 servers.

The poor incident reports and the lack of email notifications when trouble is detected seriously diminishes the value of the service.

KeyChest needs to get the certificate health checks in place, and they need much more detailed reports when something goes wrong. There is some value in being told there is a problem with one domain, but when you don’t know what the problem is you risk wasting a lot of time chasing down something that could have been trivial to fix if you knew what the problem was.

I can’t recommend KeyChest at this time, but if you need a service like KeyChest — then you should bookmark it and revisit it in a couple of months.

Sources

  • Email exchange with Dan Cvrcek, CEO of Enigma Bridge

Some screenshots have been manipulated to remove private data and to make them more compact.

The feature image is based on the photo “Brass key and wooden box” by © 2011 Erica Britto, used under the terms of CC BY 2.0.