AI & ML DevOps General Tech Community Best Practices & Tools All News About Contact
advertisement
DevOps

TLS Certificates Are About to Expire Way More Often. Here's How I'm Handling It.

May 2026 8 min read
Back to DevOps

If you manage TLS certificates for more than just a single server, the next three years will become increasingly painful.

What is changing?

The CA/Browser Forum passed vote SC-081, which phases in a shorter lifespan for TLS certificates starting March 15, 2026:

By 2029, certificates will be renewed approximately every six weeks. Domain control validation reuse is reduced to 10 days, meaning CAs revalidate their domain almost continuously.

This is not a proposal: it was approved in April 2025 and is already on the books.

The gap I kept running with

I've been using Certbot for years. It's great at what it does: issuing a certificate on a single machine via Let's Encrypt. But once I had certificates on multiple services and domains, the problems piled up:

- A certificate expired on a staging server because the cron job failed silently after an operating system upgrade.

- A teammate needed to issue a certificate but did not have SSH access to the certificate server.

- I didn't have a single view of which certificates were expiring across all my services.

- A renewal failed and I didn't find out until a user reported a broken page

Certbot and cert-manager resolve the issue. But there hasn't been anything light on management: tracking what you have, knowing when something goes wrong, and giving you access to your equipment without having to hand over keys.

what i built

KrakenKey es la capa de gestión que quería además de ACME. This is how it works:

1. Submit a CSR - no need to access the server

Generate a CSR in the browser (WebCrypto API – your private key never leaves your device) or bring your own. Submit it via dashboard or REST API:

curl -X POST https://api.krakenkey.io/certs/tls \

-H "Authorization: Bearer $API_KEY" \

-H "Content type: application/json" \

-d '{"csrPem": "-----START CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----"}'

KrakenKey handles DNS-01 validation through Let's Encrypt. The certificate is ready in ~4 minutes.

2. Everything is tracked

Each certificate, each domain, each renewal, visible in one panel. Filter by domain, check status, download in PEM or PKCS#12. There are no grepping logs on five servers.

3. Auto-renewal that really works

Not "automatic unless cron job times out". KrakenKey monitors each certificate and renews it as scheduled. Receive email notifications when a certificate is issued, renewed, or when something fails.

4. Native API

Every dashboard action is available through REST API. Issue CI certificates, check status in deployment scripts, reach API keys per application:

# Check certificate status

curl https://api.krakenkey.io/certs/tls/abc123 \

-H "Authorization: Bearer $API_KEY"

# The PEM certificate is included in the response (crtPem field)

curl -s https://api.krakenkey.io/certs/tls/abc123\

-H "Authorization: Bearer $API_KEY" | jq -r '.crtPem' > cert.pem

what it costs

The free tier is truly free – no credit card or trial expiration:

- 3 verified domains

- 10 active certificates

- 5 issues + renewals per month

- Automatic renewal (5 day period)

- Email notifications

- Full API access

Paid plans ($29–199/mo) launch this month for teams that need higher limits, 30-day renewal windows, RBAC, and audit logs.

the stack

NestJS, React, PostgreSQL, BullMQ, Terraform, Let's Encrypt ACME production. The source is on GitHub:

github.com/krakenkey/krakenkey

What would I love to receive feedback on?

I'm especially interested in hearing from anyone who:

- Manage certificates in multiple services or environments.

- Has input on the UX dashboard for certificate lifecycle visibility.

- You have reached extreme cases with DNS-01 validation that you would like to handle better

If you have a shorter certificate lifespan or are just tired of silent renewal failures, give it a try; I would really appreciate your comments.

Related Coverage

DevOps

Let Dependabot Merge Its Own PRs

DevOps

Decisions, Decisions -- Thoughts on making architectural decisions

DevOps

i built a social platform where everything vanishes after 24 hours