Finally Understand PKI & TLS
See It In Action
Interactive visualizations that make complex concepts click
Visual Handshakes
Watch TLS packets fly between client and server. Understand exactly when encryption kicks in.
Read the GuideChain Validation
See how browsers traverse the trust chain from leaf to root, and why intermediate certs matter.
Read the GuideCertificate past validity
Failure Scenarios
Simulate expired certs, revocations, and MITM attacks to learn how to troubleshoot real incidents.
Read the GuideLearn By Doing
Visual, step-by-step demonstrations of PKI concepts. Click through to understand how things actually work.
Certificate Transparency Logs
Explore CT logs and how they detect mis-issued certificates. See how SCTs work and why CT matters for security.
PKCS#12 / PFX Format
Learn PKCS#12/PFX format for bundling certificates with private keys. Create, extract, and convert PFX files.
Self-Signed Certificates
Understand when self-signed certificates are appropriate and their security implications.
ACME Protocol - Automated Certificate Issuance
Learn how ACME protocol automates certificate issuance with Let's Encrypt. Interactive demo shows the challenge-response flow and DNS/HTTP validation.
OpenSSL CSR Generation
Create Certificate Signing Requests with OpenSSL. Generate CSRs with SANs using config files and command line.
Certificate File Formats
Understand certificate formats: PEM, DER, PFX/P12, JKS. Learn when to use each and how to convert between them.
Root Stores & Trust Anchors
Explore how browsers and OSes decide which CAs to trust. Compare Chrome, Mozilla, Apple, and Microsoft policies.
CAA Records - DNS Certificate Control
Understand CAA DNS records and how they control which CAs can issue certificates for your domain. Interactive demo with examples.
TLS Cipher Suite Decoder
Decode cipher suite strings like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Understand key exchange, encryption, and MAC.
Certificate Pinning Explained
Learn how certificate pinning works, why it breaks apps after cert rotation, and modern alternatives like Certificate Transparency.
Start Learning
In-depth guides for real-world PKI challenges. From installation to troubleshooting.
Traefik SSL Certificate Configuration
Automatic HTTPS for containers and services. Let's Encrypt automation, Docker labels, Kubernetes IngressRoute, and manual certificate configuration.
HAProxy SSL Certificate Configuration
Learn how to configure SSL/TLS certificates in HAProxy. Covers SSL termination, passthrough, cipher suites, and achieving an SSL Labs A+ grade.
Domain Validation Methods Explained
How CAs verify domain ownership before issuing certificates. All 10 approved DCV methods from CA/Browser Forum BRs.
IIS SSL Certificate Configuration
Complete guide to SSL/TLS on Windows Server IIS. CSR generation, certificate installation, SNI bindings, TLS hardening, and PowerShell automation.
What is Venafi?
Understand Venafi (now CyberArk Machine Identity Security), what it does, who uses it, and whether you need it. Vendor-neutral practitioner guide.
Certificate Discovery Explained
How enterprise platforms find every certificate in your environment. Network scanning, agent-based, Kubernetes discovery methods explained.
NSA CNSA 2.0 Certificate Management
Implement CNSA 2.0 quantum-resistant algorithms in your certificate infrastructure. Timeline, algorithm requirements, and CLM transition planning for National Security Systems.
Post-Quantum Cryptography
Understand post-quantum cryptography, NIST's ML-KEM, ML-DSA, and SLH-DSA standards, and what your PKI team needs to do before 2035. Plain English, no PhD required.
CSR Rejection Reasons
CSR rejected by your CA? Learn the common reasons certificate signing requests fail - wrong key size, weak keys, invalid domains, bad formatting - and how to fix each one.
Automating HTTP-01 on Nginx, Apache, and IIS
Complete guide to HTTP-01 automation on Nginx, Apache, and IIS. The simplest path to automated certificates with Certbot, win-acme, and production-ready configurations.
Explore Our Guide Series
Multi-part deep dives into complex PKI topics
CDN SSL Troubleshooting
Cloudflare, Akamai, AWS CloudFront
Microsoft ADCS Deep Dive
Active Directory Certificate Services for Enterprise PKI
F5 BIG-IP SSL Series
Master SSL/TLS on F5 load balancers
The Venafi Series
Machine identity management explained
What's New
Here's what we've been building for you
New Blog: Key Ceremony Best Practices — What Your Script Should Include
A practitioner-level guide to PKI key ceremony scripts covering what to include, what auditors verify, and the common mistakes that create findings
We published a deep-dive blog post on key ceremony scripts — the formal, witnessed process of generating cryptographic keys for a Certificate Authority. This isn't the academic "what is a key ceremony" overview you find elsewhere. It's a practitioner's breakdown of what your script should actually contain: pre-ceremony checklists, HSM operations structure, key backup procedures, witness requirements, and the specific documentation gaps that generate audit findings. The post includes five custom infographics — roles diagram, pre-ceremony checklist flow, ceremony script flow, audit red flags, and common mistakes — plus a video walkthrough. We also added cross-links from 6 related pages (HSM guide, CA Hierarchy guide, What Is a CPS guide, Internal CA CPS blog, and PCI DSS checklist) so readers can discover it naturally.
Key Ceremony Best PracticesCompliance Hub v2.3.0: Chrome Root Program 1.8, Mozilla MRSP 3.0, and New Deadline Categories
Major update to the PKI Compliance Hub with Chrome Root Program v1.8 and Mozilla Root Store Policy v3.0 data, 7 new deadlines, and new filtering categories for root store, platform, automation, and certificate transparency events
The PKI compliance landscape shifted significantly this month. Chrome Root Program v1.8 brings CT pre-logging requirements, root store consolidation plans, and a firm March 2027 deadline for subordinate CA automation. Mozilla Root Store Policy v3.0 introduces dual-purpose root transition plans due April 2026 with full migration by end of 2028. We also added the Microsoft Secure Boot certificate expiration (June 2026) — a high-impact event that affects enterprise device fleets. The Compliance Hub now tracks all of these with 7 new deadlines, an updated root store comparison table with two new rows (Dual-Purpose Root Deadline and CT Pre-Logging), and four new category filters so you can quickly find what matters to your team. The Compliance-in-a-Box page also got a visual upgrade — a 47-day certificate urgency timeline and an inline Kit form so you can preview Section 1 of the CP/CPS template before purchasing.
PKI Compliance HubNew: DNS-PERSIST-01 Guide + Security Analysis Blog Post
Comprehensive guide to the new persistent ACME DNS validation method (SC-088v3) plus a companion blog post analyzing 5 security assumptions that change with persistent authorization
DNS-PERSIST-01 is the biggest change to ACME certificate validation since DNS-01 was introduced. The CA/Browser Forum approved it unanimously, Let's Encrypt announced support, and production rollout is expected Q2 2026. We published a full guide covering how it works, how it compares to DNS-01, scope controls, security tradeoffs, implementation timeline, and a decision framework to help you decide when to adopt. We also wrote a companion blog post that goes deeper on the security side — five specific assumptions that change when your certificate validation becomes persistent, and what your team should do about each one. Both resources include video walkthroughs.
DNS-PERSIST-01 GuideStay Compliant
Certificate validity periods are shrinking. Track deadlines and requirements with our live compliance hub.
Practical Tools
Validate CSRs, diagnose issues, and track compliance. All the tools you need in one place.
PKI Priority Planner
Find out if your team is working on the right PKI priorities. Get a personalized action plan based on your environment and compliance deadlines.
CSR Checker
Validate and decode Certificate Signing Requests. Check for common issues before submitting to a CA.
PKI Troubleshooter
AI-powered diagnostic tool for SSL/TLS certificate issues. Get step-by-step solutions.
Practical TLS by Ed Harmoush
The most comprehensive TLS course available. Real Wireshark captures, hands-on labs, and explanations that actually make sense. Use code FixMyCert for 50% off.
Disclosure: I earn a commission if you purchase through this link, at no extra cost to you.
Built for IT Professionals
DevOps & SREs
Debug ingress issues and automate certificate rotation with confidence.
Security Engineers
Visualize threat models and explain PKI concepts to stakeholders.
Network Engineers
Deep dive into TLS 1.2 vs 1.3, ciphers, and handshake performance.
