The Silence Before
Production Breaks.
Certificates don't just expire. They break silently. cert9 transforms that uncomfortable uncertainty into an operational truth you can act on before PagerDuty fires.
> Owner: @platform-sre
4 renewals pending
Cluster: us-east-1
ACME Automates Issuance.
It Doesn't Manage Lifecycle.
ACME issues certificates. It does not verify they remain healthy, correctly deployed, and safe in production.
Standard ACME Client
Stops at successful issuance.
- Writes TLS Secret
- Assumes Ingress / Gateway reload succeeds
- Retries failed challenges
- Marks order as complete
cert9 Operational Layer
Verifies what happens after issuance.
- Confirms Secret is actively bound to workloads
- Validates Ingress / Gateway configuration matches certificate
- Monitors issuer health and challenge failures
- Detects stalled or rate-limited renewals
- Maps real-time blast radius across services
If a DNS-01 challenge stalls or an issuer hits rate limits, cert9 detects the failure before expiration impacts production.
There is a gap between "Certificate Issued" and "Traffic Secure."
cert9 operates in that gap.
The Blast Radius.
Don't guess based on secret names. cert9 creates a live map of your TLS surface area. When a certificate is at risk, you see the full impact immediately.
We don't just scan endpoints. We introspect the cluster state, reading CRDs, Ingresses, Gateway API routes, and Service meshes.
ingress/api-gateway
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
spec:
tls:
- hosts:
- api.example.com
secretName: wildcard-tls <-- Expiring Source
rules:
- host: api.example.com
http:
paths: ...Not Just Public Certificate Scanning.
External scanners only see what you expose to the internet. They miss 80% of your risk: internal mTLS, sidecars, database connections, and private gateways.
cert9 sits inside your infrastructure. We see the secrets, the config maps, and the bound services that public scanners can't reach.
Operational Truth.
Stop relying on spreadsheets and manual checks. Get uncomfortable awareness.
Total Inventory
No more "I didn't know we had that." Auto-discovery across every cluster, namespace, and bare-metal server. If it has a private key, we find it.
Impact Analysis
Map certificates to the actual services they break. We correlate the secret to the ingress, the ingress to the service, and the service to the alert.
Pipeline Health
ACME isn't fire-and-forget. We monitor the issuer health, rate limits, and challenge failures. Know why it's failing before the retry backoff hits max.
Pre-Incident Alerting
Get alerted when the configuration drifts, not just when the timer runs out. Catch the misconfiguration 5 minutes after deploy, not 5 minutes before expiry.
Install Anywhere
Lightweight agents. No sidecars. Instant visibility.
Kubernetes
helm install cert9-agent cert9/agent \
--set apiKey=$API_KEY
Works with AWS EKS, Google GKE, Azure AKS, etc
Bare Metal
Beta--token $API_KEY
Single binary. Zero dependencies. For Ubuntu and RHEL.
Enterprise Visibility.
Without Enterprise Pricing.
Aligns with your PKI footprint, not your machine count.
Free Trial
Perfect for POCs and testing.
- Unlimited Features
- Community Support
- No Credit Card Required
Pro
Save $72/yearComplete visibility for growing teams.
Billed annually ($756/year)
- Unlimited Clusters and Machines
- Unlimited Domains
- Full Dependency Mapping
- Slack & PagerDuty Alerts
- Digests & Reporting
Enterprise
Security, compliance, and scale.
- Unlimited certificates and domains
- Priority Support & SLA
- SSO (SAML/OIDC)
- Dedicated Account Team
Ready to see the truth?
Deploy the agent in under 2 minutes. See your risks immediately.