What's New on FixMyCert

We published a deep-dive blog post on key ceremony scripts — the formal, witnessed process of generating cryptographic keys for a Certificate Authority. This isn't the academic "what is a key ceremony" overview you find elsewhere. It's a practitioner's breakdown of what your script should actually contain: pre-ceremony checklists, HSM operations structure, key backup procedures, witness requirements, and the specific documentation gaps that generate audit findings. The post includes five custom infographics — roles diagram, pre-ceremony checklist flow, ceremony script flow, audit red flags, and common mistakes — plus a video walkthrough. We also added cross-links from 6 related pages (HSM guide, CA Hierarchy guide, What Is a CPS guide, Internal CA CPS blog, and PCI DSS checklist) so readers can discover it naturally.

The PKI compliance landscape shifted significantly this month. Chrome Root Program v1.8 brings CT pre-logging requirements, root store consolidation plans, and a firm March 2027 deadline for subordinate CA automation. Mozilla Root Store Policy v3.0 introduces dual-purpose root transition plans due April 2026 with full migration by end of 2028. We also added the Microsoft Secure Boot certificate expiration (June 2026) — a high-impact event that affects enterprise device fleets. The Compliance Hub now tracks all of these with 7 new deadlines, an updated root store comparison table with two new rows (Dual-Purpose Root Deadline and CT Pre-Logging), and four new category filters so you can quickly find what matters to your team. The Compliance-in-a-Box page also got a visual upgrade — a 47-day certificate urgency timeline and an inline Kit form so you can preview Section 1 of the CP/CPS template before purchasing.

DNS-PERSIST-01 is the biggest change to ACME certificate validation since DNS-01 was introduced. The CA/Browser Forum approved it unanimously, Let's Encrypt announced support, and production rollout is expected Q2 2026. We published a full guide covering how it works, how it compares to DNS-01, scope controls, security tradeoffs, implementation timeline, and a decision framework to help you decide when to adopt. We also wrote a companion blog post that goes deeper on the security side — five specific assumptions that change when your certificate validation becomes persistent, and what your team should do about each one. Both resources include video walkthroughs.

Every checklist and runbook on FixMyCert now has social sharing buttons built right into the sticky progress bar. Share a checklist with your team on LinkedIn, post it on X, or copy the link to drop into Slack or email. This was one of the most requested features — when you find a checklist that solves a real problem, you should be able to share it in two clicks.

With the March 15, 2026 Phase 1 deadline approaching, we built a comprehensive 82-point readiness audit that walks you through every area that matters: certificate discovery, renewal ownership, DCV readiness, ACME pipelines, deployment automation, monitoring, and organizational preparedness. Unlike a generic compliance checklist, this one is specifically designed around the SC-081v3 timeline. It includes a built-in readiness scoring guide so you can quickly assess where you stand — Ready, On Track, At Risk, or Critical — and prioritize accordingly. We also completely rewrote the F5 BIG-IP SSL Certificate Checklist with 52 items covering tmsh commands alongside GUI steps, PFX conversion instructions, chain warnings, and a full FAQ section.

New pillar guide tackling the uncomfortable truth about 47-day certificates: most organizations aren't ready, and many don't even know where the gaps are. This guide walks through the entire 5-stage certificate lifecycle pipeline — discovery, validation, issuance, deployment, and monitoring — and shows exactly where automation breaks down at each stage. It's vendor-neutral by design, focusing on the real operational challenges rather than pushing any particular CLM product. Whether you're just starting to plan for SC-081v3 or you've already begun automating, this guide helps you identify blind spots and prioritize what matters most before the March 2026 enforcement date.

The Digital Signatures guide now features an embedded video walkthrough right at the top of the page. This video complements the written content by visually explaining how digital signing and verification work using cryptographic hashing and asymmetric key pairs. Whether you're new to PKI or brushing up on fundamentals, the video provides a quick, accessible overview before diving into the detailed written guide.

Big batch of updates today. First, every guide page now has LinkedIn, X/Twitter, and copy-link share buttons right in the hero section — no more copying URLs by hand when you want to share a resource with your team. Second, the 47-Day Timeline guide now includes a comprehensive "Real-World Numbers" section explaining the midnight-to-midnight off-by-one (199/99/46 effective validity) and pre-certificate DCV impact (198/98/8 effective DCV reuse), with embedded video, comparison tables, and cadence guidance. Those effective day annotations are now visible across the entire platform — countdown timers, the Compliance Hub quick reference, and structured data all show both the ballot number and the real-world effective number. We also launched "Your Internal CA Doesn't Have a CPS" on the Trust The Chain blog, making the case that internal PKI operators need documented governance just like public CAs. And the Compliance-in-a-Box landing page got a PKI Governance Gap section with industry stats and additional FAQs.

New guide covering Azure Key Vault certificate management end-to-end. Includes a Golden Path quick-start that gets you from a PFX file to App Gateway TLS termination in four commands. Three labeled automation patterns (ACME → Key Vault, Corporate CA → Key Vault, and Event-driven renewal) give you concrete starting points for your pipelines. A defaults-vs-recommended table covers key algorithm, validity period, content type, and EKU configuration. Troubleshooting decision trees now include CLI quick-check commands you can paste directly into your terminal. Full examples for API Management setup and an AKS SecretProviderClass YAML with workload identity.

We've standardized the layout across all 124 guides and 52 demos with new GuideHero and DemoHero components. Every page now features consistent breadcrumbs, back navigation, copy-to-clipboard functionality, and beautiful hero images. This isn't just about aesthetics—it's about making FixMyCert feel like a cohesive platform rather than a collection of individual pages. Whether you're reading about OpenSSL commands or exploring certificate transparency logs, you'll always know exactly where you are and how to navigate.

Port 80 blocked? No DNS API? Port 443 is your answer. TLS-ALPN-01 proves domain control during the TLS handshake itself, making it the perfect fit for reverse proxy environments where HTTP-01 and DNS-01 aren't practical. This guide covers RFC 8737 requirements, step-by-step implementations for Caddy, Traefik, lego, and acme.sh, plus the troubleshooting patterns that save you hours of debugging ALPN negotiation failures.

DNS-01 validation unlocks wildcards, internal servers, and multi-node deployments—but storing DNS API credentials on web servers is a security nightmare. This guide shows you how to implement DNS-01 automation the right way: using CNAME delegation to separate your primary zone from validation credentials. Whether you're using Cloudflare, Route53, Azure DNS, or Google Cloud DNS, you'll find provider-specific configurations and the security patterns that enterprise PKI teams actually use.

HTTP-01 is the most straightforward ACME validation method—no DNS APIs, no complex delegation, just serve a file over port 80. This guide covers Nginx, Apache, and IIS configurations for Certbot and win-acme, plus the operational patterns that keep automated renewals running smoothly. If you're running a standard web server and can expose port 80, HTTP-01 gets you from manual renewals to full automation in under an hour.

With the CA/Browser Forum sunsetting 11 DCV methods by 2028, automation isn't optional anymore—it's mandatory. But which method should you automate? This guide provides a clear decision algorithm: start with your environment constraints (wildcard needs, port 80/443 access, DNS API availability), then factor in operational complexity and multi-CA flexibility. Whether you're running Kubernetes, managing 10,000+ domains, or just getting started with ACME, you'll find your path.

Caddy is famous for its zero-config TLS, but "automatic" doesn't mean "no questions." This comprehensive guide covers everything from the magic of automatic HTTPS to manual certificate configuration, mTLS client authentication, DNS challenges for wildcards, Docker deployment with persistent volumes, and troubleshooting common issues like Cloudflare orange-cloud conflicts. Whether you're deploying Caddy as a reverse proxy or edge TLS terminator, this guide has you covered.

The CA/Browser Forum is eliminating 11 domain validation methods by 2028. If you're using email-based validation (admin@, webmaster@) or phone calls from your CA, those methods are on the chopping block. This guide covers the three ballots (SC-080, SC-090, SC-091) driving this change, the complete phase-by-phase timeline, migration paths to DNS-01/HTTP-01, and how the infamous WatchTowr .mobi research triggered this industry-wide shift.

SC-081v3 was announced on April 12, 2025, passing with a unanimous 29-0 vote. It's reducing TLS certificate validity from 398 days to just 47 days by March 2029. If you own PKI, certificates, or TLS standards internally, this is now on your roadmap. This guide breaks down the three-phase timeline, explains the dramatic impact on domain validation (from ~4 to ~35 validations per year), and gives both PKI engineers and security managers concrete action items to prepare.

PCI DSS 4.0 is now mandatory, and Requirement 4 (protect cardholder data in transit) has stricter cipher and forward secrecy requirements. This comprehensive checklist walks you through scoping, evidence collection, common findings to fix before the QSA arrives, and the exact interview questions you'll face. We've also included a 30-day timeline so you can systematically prepare instead of scrambling.

Got a B or C on SSL Labs and not sure what's wrong? This actionable checklist walks you through everything: certificate requirements, protocol configuration, cipher suite ordering, and the magic ingredient for A+ (hint: it's HSTS with a long max-age). We've also catalogued the common pitfalls that kill grades—missing intermediates, legacy TLS protocols, weak DH parameters—so you can fix them systematically.

One of the most common questions from F5 administrators: "Should I use passthrough, offloading, or bridging?" This guide answers that question definitively with a clear comparison table, decision flowchart, and configuration examples for each approach. You'll understand the trade-offs between end-to-end encryption, L7 features, and WAF protection—plus common mistakes that trip up even experienced engineers.

Most organizations confuse "FIPS capable" (a marketing term) with "FIPS compliant" (an audit-defensible claim). This comprehensive guide clarifies the critical distinction and provides everything you need: OpenSSL 3.x provider architecture explained, openssl.cnf configuration templates, algorithm approval tables, Security Policy boundary requirements, common implementation mistakes, and a complete audit checklist. Whether you're preparing for FedRAMP, DoD, or just want to get FIPS right, this guide has you covered.

Understanding compliance requirements for PKI shouldn't require deciphering dense regulatory text. We've built a complete Compliance Framework Series with six guides that translate regulatory language into actionable CLM controls. Whether you're preparing for DORA audits, implementing NIS2's cryptography requirements, planning your CNSA 2.0 post-quantum transition, or aligning with UK CSR Bill expectations—each guide includes requirement mapping tables, implementation checklists, and cross-references to help you demonstrate compliance. Non-NSS organizations can also use the CNSA 2.0 guide as a high-water mark for PQ readiness planning.

Ever wondered who decides certificate validity periods or why your CA suddenly has new requirements? The CA/Browser Forum is the industry consortium where Certificate Authorities and browser vendors collaborate on the rules governing publicly-trusted certificates. This guide explains who's at the table, how ballots become requirements, and why browser vendors hold the real power. We've added dynamic timelines showing 2025 changes already in effect and major upcoming deadlines, plus enterprise impact callouts so you know exactly how load balancers, appliances, and legacy systems will be affected.

The EU's Digital Operational Resilience Act (DORA) is now in effect, and financial services firms need to demonstrate operational resilience across all ICT systems—including certificates. This guide maps DORA's five pillars to concrete CLM capabilities, so you know exactly what auditors will ask about your certificate management. We've included a "10-Minute Auditor Test" self-assessment linked to our Maturity Assessment, a 4-phase implementation roadmap, and country-level enforcement considerations for Germany, France, Netherlands, Ireland, and UK dual compliance.

The Certificate Request Form just got a major upgrade for enterprise PKI teams. You can now specify the certificate usage profile (Server TLS, Client Auth, Code Signing), select your CA source (internal PKI, public CA, or cloud), and track CAB approval IDs for compliance. Indicate where the key will be generated (HSM, server, or requester workstation), choose your integration method (auto-install, manual, or CLM pickup), and paste the CSR directly into the form. For renewals, link back to the existing certificate for audit trails.

Where does your organization stand on the PKI governance spectrum? Our new interactive assessment answers that question with 18 targeted questions across 6 key areas: inventory visibility, lifecycle management, process documentation, automation, compliance readiness, and incident response. In about 5 minutes, you'll get a maturity score (1-5), see exactly which areas need attention, and receive prioritized recommendations linking to the specific FixMyCert tools that can help. Share your results with stakeholders, track progress over time, and build the business case for PKI investments.

Windows admins, this one's for you. Our new IIS guide covers everything from generating CSRs in IIS Manager or PowerShell, through certificate installation and SNI bindings, to TLS hardening and SSL Labs A+ optimization. Whether you're managing a single site or a web farm with Centralized Certificate Store, you'll find step-by-step instructions with both GUI and PowerShell approaches. The troubleshooting section tackles the infamous "Cannot find the certificate request" error and five other headaches we've all encountered.

Wondering if that new certificate requirement is actually going to happen? Now you can follow CA/Browser Forum ballots through their entire lifecycle right in the Compliance Hub. When a ballot enters the voting phase, you'll see an amber "Voting" badge with a countdown showing exactly how many days remain. Once passed, a green "Passed" badge appears with a countdown to the enforcement date. No more checking mailing lists or forum archives—the status comes to you.

Running containers and need SSL? Traefik makes it almost too easy—automatic Let's Encrypt certificates, Docker label configuration, and Kubernetes IngressRoute support. Our new guide covers everything from zero-config ACME automation to manual certificate handling for enterprise PKI environments. Whether you're spinning up a Docker Compose stack or managing a Kubernetes cluster, you'll find the exact YAML snippets and troubleshooting tips you need.

Two enhancements to the PKI Compliance Hub make it easier to track what matters to you. Algorithm deprecation deadlines—like RSA key size changes and cipher suite sunsets—now have their own category so you can filter specifically for crypto migration timelines. And when a CA/Browser Forum ballot is still under discussion, you'll see a purple "Proposed" badge giving you early warning before requirements become mandatory. Stay ahead of the curve instead of reacting after the fact.

Managing 50-500 certificates but not ready for a $50K+ CLM platform? We built the Certificate Governance Toolkit for teams stuck in that gap. Instead of scattered spreadsheets and tribal knowledge, you now have professional-grade templates you can use today: a naming convention generator that outputs a complete policy document in 2 minutes, a pre-built inventory spreadsheet with all the fields you need, and a clear maturity ladder showing your path from reactive chaos to audit-ready governance. No email gates, no sales calls—just the foundational governance that makes certificate management predictable.

Managing SSH access across hundreds of servers with authorized_keys files? There's a better way. Our complete SSH Certificate series takes you from understanding why certificates beat keys, through hands-on CA setup, to enterprise-grade certificate management with Venafi. Whether you're an SRE eliminating key sprawl or a security architect planning an enterprise rollout, you'll find actionable guidance with real OpenSSH commands you can use today.

We've expanded the Compliance Framework Mapping page with clearer guidance on what it covers (and what it doesn't). New methodology sections explain the two-layer model - how FixMyCert's operational guides combine with your internal policies to create audit-ready documentation. Each framework now includes specific scope statements so you know exactly which controls are addressed. Plus, a new FAQ section answers the questions we hear most often from compliance teams.

You're configuring SSL on Apache and need to know exactly which directives go where. Our new Apache guide covers everything from enabling mod_ssl to production-ready HSTS and OCSP stapling. Whether you're on Debian/Ubuntu or RHEL/CentOS, you'll find distro-specific commands, the critical Apache 2.4 vs 2.2 differences, and a go-live checklist to make sure you haven't missed anything. This completes our Web Servers trifecta alongside nginx and HAProxy.

You submitted a CSR and got a rejection email with minimal explanation. Now what? Our new guide covers every reason CAs reject certificate signing requests - from obvious issues like wrong key size to obscure problems like the Debian weak keys disaster (2006-2008). Each rejection category includes practical fixes with OpenSSL commands you can copy and run. Whether your CSR failed for domain issues, formatting problems, rate limits, or validation failures, you'll find the answer here.

Every time you request a certificate from a public CA, you're signing a binding contract. Many people click through without reading - then are surprised when their certificate gets revoked. Our new guide breaks down the six core obligations you agreed to: private key protection (warranties typically state it has NEVER been compromised), information accuracy (ongoing, not one-time), authorized and legal use, no CA operations, prompt revocation reporting, and indemnification. We cover DV/OV/EV differences, prohibited uses, real-world violation scenarios, and how to stay compliant.

When Entrust refused to revoke 26,000+ certificates within the required timeframe in 2024, browsers responded by distrusting them entirely. Our comprehensive guide now includes expert-level enhancements: a PKI Pro Quick Scan for experienced practitioners, explicit BR section references (4.9.1.1, 4.9.5), concrete "suspected compromise" scenarios, OCSP/CRL cache tuning recommendations, mass revocation planning guidance per SC088/SC089, and team role tags (PKI/Infra, Security Ops, App Teams) so everyone knows what applies to them. Whether you're a PKI administrator or security engineer, this is the definitive resource for understanding certificate revocation timelines and compliance.

We've added a new Certificate Decoder tool that lets you paste any PEM-encoded certificate and immediately see its details—subject, issuer, validity dates, SANs, key info, and fingerprints. No more switching to external sites or running OpenSSL commands. We've also created a dedicated Tools page that showcases all our PKI utilities: the AI Troubleshooter, CSR Checker, SSL/TLS Checker, Cert Decoder, and Compliance Hub. Everything's now easier to find from the navbar.

Beyond FixMyCert's free demos and guides, sometimes you want to go even deeper. We've added a dedicated Learning Resources page featuring courses I personally recommend. The first featured course is Ed Harmoush's "Practical TLS"—the most comprehensive TLS course I've found, with real Wireshark captures and hands-on labs. Use code FixMyCert for 50% off. We've also added contextual "Want to go deeper?" callouts to our TLS guides with the same recommendation.

HAProxy powers some of the internet's busiest sites (GitHub, Stack Overflow, Reddit), but its SSL configuration can be tricky—especially the PEM file format that combines cert, chain, and key in one file. Our new 15-section guide walks you through all three SSL modes (termination, passthrough, re-encryption), shows you exactly how to achieve an A+ SSL Labs grade, and includes troubleshooting for the most common errors. Whether you're setting up your first HAProxy instance or debugging "unable to load SSL certificate" at 2am, this guide has you covered.

We've added a "Copy" button to every guide, checklist, and educational page on the site. Click it to copy the content in two formats: clean Markdown (preserving headers, code blocks, and lists) or a special AI-optimized version with source attribution. The AI format strips out interactive elements and includes context so ChatGPT, Claude, or your favorite assistant knows exactly where the information came from. Perfect for pasting PKI documentation into your AI conversations or saving guides for offline reference.

AWS ACM offers free SSL certificates, but there's a catch: they only work with certain AWS services, the private keys can't be exported, and if you're using CloudFront, your certificate MUST be in us-east-1. We've created two companion guides: a comprehensive deep dive covering ACM vs alternatives, validation methods, and Private CA, plus a fast-reference troubleshooting guide with jump links so you can fix "pending validation", renewal failures, and the us-east-1 CloudFront trap in minutes.

Ever wondered why a code signing certificate can't secure your website? It's all about Extended Key Usage (EKU)—the certificate extension that acts like a job description, telling systems exactly what each certificate is allowed to do. Our new 10-minute EKU guide breaks down the OID system, shows you how to check any certificate's permissions, and explains why the industry is separating ServerAuth from ClientAuth. Plus, a comprehensive 4-phase migration checklist with a live countdown timer to help you prepare before Chrome's June 2026 enforcement deadline.

Chrome is removing Client Authentication EKU from public TLS certificates by June 2026—and DigiCert and Sectigo are already phasing it out. If you use public certs for mTLS or server-to-server authentication, this guide walks you through the timeline, helps you understand your options (Private PKI, PKI-as-a-Service, or the new X9 PKI for financial services), and provides a 4-phase migration checklist to get you ready before the deadline.

With 92 guides, 51 demos, and 9 checklists, finding exactly what you need was getting harder. Now you can press Cmd+K (or Ctrl+K on Windows) from anywhere on the site to search everything instantly. Type "mTLS" and jump straight to the mutual TLS guide, or search "expired" to find troubleshooting content. We've even added PKI-specific synonyms so searching "SSL" also finds TLS content.

Venafi has had three owners in two years (Thoma Bravo → CyberArk → pending Palo Alto), making honest information harder to find than ever. We've launched The Venafi Series—4 comprehensive guides that cut through the marketing to give you practical knowledge for evaluating, deploying, and operating enterprise CLM. From platform fundamentals to NMAP reconnaissance techniques that turn 12-hour discovery scans into 30-minute jobs.

The quantum clock is ticking—NIST has finalized the first post-quantum standards (FIPS 203-206) and set hard deadlines: deprecate vulnerable algorithms by 2030, remove them entirely by 2035. Our new comprehensive PQC guide explains the "harvest now, decrypt later" threat, walks through all four NIST algorithms (ML-KEM, ML-DSA, SLH-DSA, FN-DSA), and includes a dynamic timeline that updates automatically to show where we are in the transition. Pair it with our 142-checkbox migration checklist covering Discovery through Production deployment.

Happy New Year! We're shipping the SSL/TLS Configuration Checker—enter any domain and instantly see the grade, certificate details, protocol support, and security features. Powered by Qualys SSL Labs API, it shows what's working and flags what needs fixing (deprecated TLS versions, missing HSTS, etc). Links to relevant FixMyCert guides help you fix any issues you find.

After Entrust's 2024 distrust, more people are asking "what did they actually violate?" The answer is their CPS—and the Baseline Requirements it implements. This guide demystifies Certificate Practice Statements: what they are, how RFC 3647 structures them, which sections you should actually read (hint: Section 4 and 9.6), and why CAs that ignore their CPS end up in browser distrust announcements.

Installing certificates on F5 BIG-IP? The #1 mistake is forgetting the chain certificate—desktop browsers work fine but mobile devices fail silently. Our new F5 Certificate Checklist walks you through every step from file verification to post-installation cleanup, with the common mistakes table we wish we had years ago. Plus, the PKI Compliance Checklist helps you assess your organization's certificate management maturity with 87 items covering inventory, key security, automation readiness, and the upcoming 47-day certificate lifetime deadline.

If you've ever stared at an F5 BIG-IP wondering why "Client SSL" is where your server certificate goes, you're not alone. We're launching a comprehensive 7-guide F5 series: SSL Profiles explained, Client SSL vs Server SSL decoded, certificate installation, chain configuration, troubleshooting, SSL Labs A+ optimization, and SNI configuration for hosting multiple certificates on a single IP.

The PKI Disasters Hall of Fame is now complete with four in-depth case studies spanning 13 years of certificate authority failures. From DigiNotar's catastrophic 2011 breach that may have cost lives in Iran, to WoSign's brazen backdating scheme, Symantec's "too big to fail" moment that proved no CA is untouchable, and Entrust's 2024 compliance saga—each story shows how quickly trust can evaporate. Whether you're managing certificates for a startup or an enterprise, these lessons will help you avoid becoming the next cautionary tale.

Keeping up with PKI news is exhausting—browser trust changes, CA incidents, new validation requirements, shorter certificate lifetimes. Miss an announcement and your certificates might stop working. The new PKI News page aggregates content from 8 authoritative sources including Google Security Blog, Let's Encrypt, DigiCert, and Cloudflare. We filter for PKI-relevant articles and highlight priority items like distrust announcements and security incidents, so you see what matters most.

We've all been there—it's 2am, a certificate expired, and you're scrambling through old notes trying to remember the right sequence of commands. The new Checklists & Runbooks Library gives you structured, tested procedures you can follow step-by-step. Check off items as you go, copy commands directly to your terminal, and get back to bed faster. We're launching with 5 Priority 1 runbooks covering the scenarios you're most likely to hit: certificate renewal, emergency replacement, chain issues, key compromise, and CA migration.

The Compliance Hub just got a lot more useful. Ever spent 20 minutes hunting for the correct intermediate certificate? That ends now. The new Chain Reference tab includes verified certificate data for 5 major CAs with SHA-256 fingerprints, direct PEM downloads, and crt.sh links. Plus, if you're still confused about what happened with Entrust, the CA Changes tab gives you the complete 8-event timeline from Google's announcement through Sectigo's acquisition. All data verified against official CA documentation.

With major browsers announcing distrust of Entrust certificates, we've added a dedicated tracking row to our Compliance Hub's Root Store Comparison table. You can now see at a glance when Chrome, Mozilla, Apple, and Microsoft will stop trusting Entrust-issued certificates. If you're still using Entrust certs, this gives you a clear deadline to plan your migration.

CDN certificates are their own special kind of challenge. Origin certificates, edge certificates, SNI requirements—the list goes on. We've created a dedicated series covering the major CDN providers, with guides tailored to each platform's quirks. Next time you see ERR_SSL_VERSION_OR_CIPHER_MISMATCH from your CDN, you'll know exactly where to look.

We surveyed dozens of PKI deployments and found the same mistakes appearing over and over. This 4-part series covers the planning blunders, deployment disasters, operational oversights, and emergency fumbles that catch even experienced teams. Each mistake comes with concrete steps to avoid or fix it. Consider this your PKI deployment checklist.

Active Directory Certificate Services can feel like a black box—until now. Our new ADCS Deep Dive series walks you through every layer, from templates and auto-enrollment to troubleshooting the dreaded "trust chain could not be verified" errors. If you're managing Windows PKI, this series will save you hours of frustration.

Stuck on a certificate error at 2 AM? We've added an AI-powered troubleshooter that understands the nuances of PKI. Tell it what you're working with (Venafi? F5? Java?), describe your error, and get step-by-step troubleshooting guidance. It's like having a PKI expert on call, without the consultant fees. We've trained it on real-world scenarios so it gives you actionable commands, not generic advice.

When we started FixMyCert, we had one goal: make PKI understandable through visualization. This month, we hit a milestone—50 interactive demos covering everything from basic encryption to enterprise cert-manager deployments. Whether you're just learning what a certificate is or you're debugging mTLS in Kubernetes, there's a demo for you.

Certificate validity periods are shrinking. Apple, Google, and Mozilla keep proposing shorter lifespans. Our new Compliance Hub tracks all the deadlines you need to know about—from the 90-day proposals to the algorithm deprecation timelines. It's your single source of truth for "what's changing and when."