What is KeyChest and its spot check good for?
You may ask why you need another tool, when there's SSL Labs auditing tool, which tells you all you need about the security of your website. The answer is simple, KeyChest is much more about keeping your servers available than secure. You can only do a thorough security audit on servers, which have been configured and use the certificate you want.
KeyChest.net is about keeping your business up and running. It may be prudent to reach A+ rating at SSL Labs in April, but it doesn't help if your customers can't access your online store in July.
KeyChest gives you all the information you need to keep your servers' SSL certificates up to date. It allows you to plan certificate renewals and tells you when something broke and needs a closer look. This protects you from downtimes as you can plan certificate renewals with enough to resolve any potential problems. Spot checks of KeyChest also help you set up your servers so that your users, customers, and clients can use them and connect to them reliably as we detect issues that may cause random unexpected problems to access your web services.
KeyChest features a powerful Dashboard with details of all your certificates in one place. Dashboard tables list relevant issues, from DNS lookup errors, incomplete trust chains, or certificate expiration dates.
If you just want to keep an eye on your administrators, KeyChest will send you a brief email with all the important metrics.
We also want to show you who issued your certificate and how to save money on the next one. Make you aware of any new certificates issued for any of your servers. One of the main extensions would be integration of reminders into your calendar.
The biggest problem of the security of your servers is that you need to create a new key and certificate. It can be every three months, or once in 2-3 years. The harsh reality is that if you don't do it, your online business will simply grind to halt.
SSL spot checks - setting up new servers
KeyChest spot checks help you quickly check a particular server. The check takes just a few seconds so it is really useful for troubleshooting basic configuration.
You can repeat the spot check as many times as needed until everything works. Once you're happy with the configuration, you can let KeyChest keep an eye on the server for you, just start watching it. But you can also:
- Send the URL of your last spot check to your colleagues or boss - we store results of each spot check, so they will see exactly what you did.
- Run the server past the SSL Labs checker for a thorough review of its cryptographic configuration.
Note: KeyChest will run any checks against a particular server, while SSL Labs test follows redirects and will ultimately provide results for the "domain name", rather than the server. KeyChest allows you check even a particular IP address so it's easy to get results of new servers even in HA, DNS round robin, or other resilient configurations.
The scope of spot checks
Here is a list of checks we execute against your selected server:
- time validity — we check how long till the certificate expires. There are three possible warning messages you can see: PLAN (if the expiration date is in less than 28 days), WARNING (if the expiration is in less than 7 days), or ERROR (the server is not available).
- trust chain — each server should send all certificates to simplify verification for clients. Most web browsers will still be able to verify security of your server most of the time, if there’s a certificate missing. It may however cause a problem and we will show you if it is the case.
- hostname — each certificate shows a list of servers, on which it can be used. Mismatch here means that the web browser will detect a security problem.
- TLS version — we strongly encourage you to use TLS version 1.2 and the checker will tell you if it’s anything worse than that.
- multi-domain certs and wildcards (aka neighbors) — some certificates are shared among several servers and it's good to see that this list is correct. It also shows, how many servers share the same key.
- downtime in 2 years — this number is the minimum estimate and actual downtime could be much longer. This check uses purely data from certificate transparency (CT) logs. Sometimes certificates exist, but they are not properly installed in web servers - that's why the actual downtime might have been longer.
- strict transport security (HSTS) — Your web server can request web browsers to require SSL connections all the time. This prevents some attacks and we will mention it if the checker detects this configuration.