Interactive Learning Platform

Finally Understand PKI & TLS

Stop struggling with abstract diagrams. FixMyCert provides interactive, step-by-step visualizations for certificates, handshakes, and trust chains.

Built by an engineer who's managed thousands of production certificates and lived through real TLS outages.

See It In Action

Interactive visualizations that make complex concepts click

Client
ClientHello
ServerHello
Certificate
KeyExchange
Server

Visual Handshakes

Watch TLS packets fly between client and server. Understand exactly when encryption kicks in.

Read the Guide
Root CA
Intermediate
Your Cert

Chain Validation

See how browsers traverse the trust chain from leaf to root, and why intermediate certs matter.

Read the Guide
Expired

Certificate past validity

Revoked
Chain Error

Failure Scenarios

Simulate expired certs, revocations, and MITM attacks to learn how to troubleshoot real incidents.

Read the Guide
Interactive Demos

Learn By Doing

Visual, step-by-step demonstrations of PKI concepts. Click through to understand how things actually work.

Certificate Transparency Logs
Enterprise

Certificate Transparency Logs

Explore CT logs and how they detect mis-issued certificates. See how SCTs work and why CT matters for security.

PKCS#12 / PFX Format
Certificates

PKCS#12 / PFX Format

Learn PKCS#12/PFX format for bundling certificates with private keys. Create, extract, and convert PFX files.

Self-Signed Certificates
Certificates

Self-Signed Certificates

Understand when self-signed certificates are appropriate and their security implications.

ACME Protocol - Automated Certificate Issuance
Certificates

ACME Protocol - Automated Certificate Issuance

Learn how ACME protocol automates certificate issuance with Let's Encrypt. Interactive demo shows the challenge-response flow and DNS/HTTP validation.

OpenSSL CSR Generation
OpenSSL Commands

OpenSSL CSR Generation

Create Certificate Signing Requests with OpenSSL. Generate CSRs with SANs using config files and command line.

Certificate File Formats
Certificates

Certificate File Formats

Understand certificate formats: PEM, DER, PFX/P12, JKS. Learn when to use each and how to convert between them.

Root Stores & Trust Anchors
Certificates

Root Stores & Trust Anchors

Explore how browsers and OSes decide which CAs to trust. Compare Chrome, Mozilla, Apple, and Microsoft policies.

CAA Records - DNS Certificate Control
Enterprise

CAA Records - DNS Certificate Control

Understand CAA DNS records and how they control which CAs can issue certificates for your domain. Interactive demo with examples.

TLS Cipher Suite Decoder
Fundamentals

TLS Cipher Suite Decoder

Decode cipher suite strings like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Understand key exchange, encryption, and MAC.

Certificate Pinning Explained
Enterprise

Certificate Pinning Explained

Learn how certificate pinning works, why it breaks apps after cert rotation, and modern alternatives like Certificate Transparency.

New Guides Added

Start Learning

In-depth guides for real-world PKI challenges. From installation to troubleshooting.

Traefik SSL Certificate Configuration
NEWWeb Servers

Traefik SSL Certificate Configuration

Automatic HTTPS for containers and services. Let's Encrypt automation, Docker labels, Kubernetes IngressRoute, and manual certificate configuration.

17 min
HAProxy SSL Certificate Configuration
NEWWeb Servers

HAProxy SSL Certificate Configuration

Learn how to configure SSL/TLS certificates in HAProxy. Covers SSL termination, passthrough, cipher suites, and achieving an SSL Labs A+ grade.

12 min
Domain Validation Methods Explained
NEWCertificates

Domain Validation Methods Explained

How CAs verify domain ownership before issuing certificates. All 10 approved DCV methods from CA/Browser Forum BRs.

15 min
IIS SSL Certificate Configuration
NEWWeb Servers

IIS SSL Certificate Configuration

Complete guide to SSL/TLS on Windows Server IIS. CSR generation, certificate installation, SNI bindings, TLS hardening, and PowerShell automation.

20 min
What is Venafi?
NEWVenafi

What is Venafi?

Understand Venafi (now CyberArk Machine Identity Security), what it does, who uses it, and whether you need it. Vendor-neutral practitioner guide.

12 min
Certificate Discovery Explained
NEWVenafi

Certificate Discovery Explained

How enterprise platforms find every certificate in your environment. Network scanning, agent-based, Kubernetes discovery methods explained.

15 min
NSA CNSA 2.0 Certificate Management
NEWEnterprise PKI

NSA CNSA 2.0 Certificate Management

Implement CNSA 2.0 quantum-resistant algorithms in your certificate infrastructure. Timeline, algorithm requirements, and CLM transition planning for National Security Systems.

20 min
Post-Quantum Cryptography
NEWEnterprise PKI

Post-Quantum Cryptography

Understand post-quantum cryptography, NIST's ML-KEM, ML-DSA, and SLH-DSA standards, and what your PKI team needs to do before 2035. Plain English, no PhD required.

15 min
CSR Rejection Reasons
NEWCertificates

CSR Rejection Reasons

CSR rejected by your CA? Learn the common reasons certificate signing requests fail - wrong key size, weak keys, invalid domains, bad formatting - and how to fix each one.

11 min
Automating HTTP-01 on Nginx, Apache, and IIS
NEWEnterprise PKI

Automating HTTP-01 on Nginx, Apache, and IIS

Complete guide to HTTP-01 automation on Nginx, Apache, and IIS. The simplest path to automated certificates with Certbot, win-acme, and production-ready configurations.

12 min

What's New

Here's what we've been building for you

New GuideCompliance

New Blog: Key Ceremony Best Practices — What Your Script Should Include

A practitioner-level guide to PKI key ceremony scripts covering what to include, what auditors verify, and the common mistakes that create findings

We published a deep-dive blog post on key ceremony scripts — the formal, witnessed process of generating cryptographic keys for a Certificate Authority. This isn't the academic "what is a key ceremony" overview you find elsewhere. It's a practitioner's breakdown of what your script should actually contain: pre-ceremony checklists, HSM operations structure, key backup procedures, witness requirements, and the specific documentation gaps that generate audit findings. The post includes five custom infographics — roles diagram, pre-ceremony checklist flow, ceremony script flow, audit red flags, and common mistakes — plus a video walkthrough. We also added cross-links from 6 related pages (HSM guide, CA Hierarchy guide, What Is a CPS guide, Internal CA CPS blog, and PCI DSS checklist) so readers can discover it naturally.

Key Ceremony Best Practices
ComplianceImprovement

Compliance Hub v2.3.0: Chrome Root Program 1.8, Mozilla MRSP 3.0, and New Deadline Categories

Major update to the PKI Compliance Hub with Chrome Root Program v1.8 and Mozilla Root Store Policy v3.0 data, 7 new deadlines, and new filtering categories for root store, platform, automation, and certificate transparency events

The PKI compliance landscape shifted significantly this month. Chrome Root Program v1.8 brings CT pre-logging requirements, root store consolidation plans, and a firm March 2027 deadline for subordinate CA automation. Mozilla Root Store Policy v3.0 introduces dual-purpose root transition plans due April 2026 with full migration by end of 2028. We also added the Microsoft Secure Boot certificate expiration (June 2026) — a high-impact event that affects enterprise device fleets. The Compliance Hub now tracks all of these with 7 new deadlines, an updated root store comparison table with two new rows (Dual-Purpose Root Deadline and CT Pre-Logging), and four new category filters so you can quickly find what matters to your team. The Compliance-in-a-Box page also got a visual upgrade — a 47-day certificate urgency timeline and an inline Kit form so you can preview Section 1 of the CP/CPS template before purchasing.

PKI Compliance Hub
New GuideCompliance

New: DNS-PERSIST-01 Guide + Security Analysis Blog Post

Comprehensive guide to the new persistent ACME DNS validation method (SC-088v3) plus a companion blog post analyzing 5 security assumptions that change with persistent authorization

DNS-PERSIST-01 is the biggest change to ACME certificate validation since DNS-01 was introduced. The CA/Browser Forum approved it unanimously, Let's Encrypt announced support, and production rollout is expected Q2 2026. We published a full guide covering how it works, how it compares to DNS-01, scope controls, security tradeoffs, implementation timeline, and a decision framework to help you decide when to adopt. We also wrote a companion blog post that goes deeper on the security side — five specific assumptions that change when your certificate validation becomes persistent, and what your team should do about each one. Both resources include video walkthroughs.

DNS-PERSIST-01 Guide

Stay Compliant

Certificate validity periods are shrinking. Track deadlines and requirements with our live compliance hub.

Built for IT Professionals

DevOps & SREs

Debug ingress issues and automate certificate rotation with confidence.

Security Engineers

Visualize threat models and explain PKI concepts to stakeholders.

Network Engineers

Deep dive into TLS 1.2 vs 1.3, ciphers, and handshake performance.

PKI education for DevOps, Security Engineers, and Network Engineers

Ready to Master PKI?

Start with our interactive Digital Signature demo and work your way up to Cloud PKI architectures.