A story of building a service (KEYCHEST)

Category : security


I have written this for KeyChest (https://keychest.net) users and some encouraged me to re-post. If you want to start a company, you may find a few lessons in it. If you like what I’m trying to build or even want to help, let me know – dan (at) keychest.net

I’ve written this to share my thoughts, clear my head, and maybe find a few people who’d appreciate what I’m trying to build. There are some links at the bottom as I wanted to post this simply as a text – but it’s too long.

I’m the founder, architect, dreamer, … of KeyChest and I want to share where KeyChest comes from, the journey so far and how I’m trying to shape it.

My name is Dan Cvrcek (sounds better where I was born – Czech Republic) and I have started the KeyChest service in summer 2017. Initially, it was a service to help us keep an eye on our own certs but we thought others would benefit from it as well. I didn’t think much about the future when I decided to build it – I take things in strides, I always did and I always pursued my dreams. I believe that doing things is much better than talking about them. So here I am sitting in an office on the outskirts of Cambridge, UK. 

(You can find more about me on LinkedIn – a link is at the bottom).


Early in 2018, I decided to turn KeyChest into a business and integrate it with a number of complimentary technologies I built before (e.g., a cloud certificate issuance service). Funny thing – I had to pay for the KeyChest IPR even though I had already paid for the actual development. Simply because it was legally part of a registered company – one has to learn from mistakes somehow.

I found a “co-founder” for KeyChest but what followed was a big, expensive set-back. I spent most of 2018 building a vision we agreed only to discover that they were only willing to invest their “spare-time” and not really making use of expensive changes. Ultimately, it was slowly but surely leading KeyChest towards a dead end.

We parted our ways before Christmas and I was left with pieces. But having spent so much time, money, and effort on the complete re-design, I decided to push on and launch the new KeyChest at the beginning of 2019. While it contained a lot of good things, many users have rightly rejected it as a mistake. 


2019 – This year was full of ups and downs. KeyChest has changed a lot, and I believe that for better. We added a number of new features, removed annoying UI bits. But there were a number of downs as well.

Our switch to Digital Ocean turned out to be a bad move. Mostly because of the unreliability of its disk storage (I suspect the core problem is a weak enforcement of IO limits per Droplet). As a result, we struggled with downtimes as our database cluster remained pretty unstable (I wrote a couple of blog posts about the issues and our attempts to fix them) – something to bear in mind if you want to build a MySQL InnoDB cluster.

I always try to look for silver linings so here’s one – as we had to cope with the infrastructure issues, I implemented a rather good monitoring framework.

I love hearing from users – good as well as bad – and the response time for support requests is within hours and if needed, improvements and bug-fixes are implemented as quickly as possible – we have 1-2 upgrades per month and hot-fixes between upgrades as necessary.

We also developed a business model and pricing I like. It is simple and transparent with unmetered usage:

  • free personal plans – providing the same simplicity of use as the enterprise option – and you can let KeyChest self-discover up to 500 endpoints
  • fixed monthly plans,
  • enterprise plans – priced well below anything else available with any level of support, this plan includes KeyChest agents – lightweight proxies for managing expiry of internal networks provided as Microsoft service and python package (installable with ‘pip’).


Right now, we are integrating renewal support for non-Let’s Encrypt certificates (we did some work on LE certs before). We have signed a partner agreement with SSL Store and we will start automating issuance of new certificates and renewals. We decided to add NO margin to the prices we get, so you should get pretty good deals. Here’s a few examples based on the current terms (which may change):

  • COMODO EssentialSSL (DV) – for $12  –  43% of the COMODO price
  • SECTIGO OV – for $49  – 35% of the issuer price   
  • Symantec Secure Site with EV – for $635 – 64% of the Symantec price

I built a hardware platform (CloudFoxy) for cloud use of secure chips. The plan is to integrate CloudFoxy to provide secure storage for internal root CA keys (the CA functions are already done). While hardware, it is pretty scalable (600+ chips in one 1U rack server) so it can be used for a scalable and reliable key management with SW products like HashiCorp Vault – it simply adds physically secure environment for root keys, which is the main risk with SW key management for TLS etc.. I believe this is how keys should be managed – getting rid of legacy PKI systems with massive price tags and complexity (although we have that technology as well 😮 ).


Not much of this will happen if we can’t secure our financial position and secure it pretty soon (ok, I will just keep pushing it, as I simply have to and believe it brings a real value to you) . We have now started working on a (pre-)seed equity funding, which is quite hard for us as myself nor Colin come from that environment so getting introductions is non-trivial. If we succeed, it will truly be a game changer for KEYCHEST – commercially and in speeding up the tech implementation.

Thank you for reading all this! We try to build a paying user base – business plans (they start at $10). If you can help us with any introductions to tech investors, well, that would be marvellous. Or if you want to help in any other way – give me a shout.



Dan Cvrcek @ linkedin –  https://www.linkedin.com/in/dancvrcek/

SmartCard Systems Redesigned – platform for root CAs – https://magicofsecurity.com/smartcard-systems-redesigned/

CloudFoxy – Digital Signing for Business Environment – https://cloudfoxy.com

EnigmaBridge – cloud encryption service with physical security – https://enigmabridge.com (my previous start-up I founded and funded)

MySQL8 Cluster and Networking Problems – https://magicofsecurity.com/mysql8-cluster-and-networking-problems/

API for end-to-end certificate testing – https://community.letsencrypt.org/t/api-for-end-to-end-certificate-testing-keychest/96490

Leave a Reply