We have finally completed a GLOBAL certificate look-up table for real-time notifications in our re-designed KeyChest service. KeyChest has been using an external service to check for new certificates. This has become unsustainable due to the number of users and certificates we monitor.
We have upgraded the KeyChest infrastructure to serve the growing user base. It is the first step for our new version, with real-time notifications, internal certificate monitoring, automated renewals, and faster discovery of new certificates.
Our certificate monitoring KeyChest has an initial RESTful API for remote enrolment of new certificates and for checking certificate expiry. Its design supports automation without any initial security/authorization setup.
Amazon is pretty good at providing a cloud platform with all the tools and infrastructure you may possibly need without looking into the small print. CPU credits are an exception.
This text is about creating a process around planning certificate renewals. As part of our KeyChest re-design, we created a sequence of meaningful checks for TLS certificates to get them always renewed before your web services go down.
We checked recent statistics of the KeyChest service. While the overall load is gradually increasing, we also increase the number of checks we perform. It’s now over 500,000 a day since March 26. But we should be fine till a major system upgrade coming soon.