Articles for those responsible for certificates, TLS compliance, and supplier documentation — written by people who know the pain of manual processes and audit pressure.
DORA, NIS2, ISO 27001 and GDPR — what auditors expect from certificate management.
Published May 25, 2026
Banks are core entities under DORA. What compliance requires in practice — from ICT risk management and third-party risk to certificate and TLS documentation.
Published May 20, 2026
DORA requires documentable ICT risk management. What auditors and supervisors typically ask for — and how certificate documentation fits a DORA audit.
Published May 14, 2026
A practical sequence for DORA implementation — from an ICT asset overview and gap analysis to ongoing documentation and testing.
Published April 30, 2026
DORA's requirements pillar by pillar — ICT risk management, incident reporting, resilience testing, third-party risk and information sharing — and where certificates fit in.
Published April 16, 2026
DORA (Regulation EU 2022/2554) sets requirements for financial entities' digital operational resilience from 17 January 2025. What it is, who it covers, and what it requires.
Published April 15, 2026
Supervisory authorities have a checklist. Here is what they specifically ask about certificates and TLS — and what you should have documented before they come knocking.
Published April 8, 2026
Banks and insurers must comply with both DORA and NIS2 — with overlapping and at times conflicting requirements. Here is what specifically applies to TLS certificates and cryptography management.
Published March 27, 2026
If TLS encryption fails in transit because of an expired certificate, it can trigger a 72-hour notification obligation under GDPR — and this is not a hypothetical situation. Here is when that line gets crossed.
Published March 25, 2026
ISO 27001, NIS2, and internal audits ask concrete questions about TLS certificates. Here is the checklist and what leaves a strong impression.
Published March 13, 2026
Annex A controls on cryptography (A.10) and asset management (A.8) have direct implications for certificate management. Here is what auditors test — and the documentation that makes the difference.
Published March 6, 2026
NIS2 requires documented asset inventory, incident response, and supply chain security. TLS certificates sit at the intersection of all three — and are the area most often unprepared at audit time.
Inventory, monitoring, renewal and avoiding outages at scale.
Published May 20, 2026
CertControl now ships an ACME Server (RFC 8555) and ARI (RFC 9773). Internal Linux and Windows servers running certbot, acme.sh, or win-acme renew automatically — with coordinated fleet renewals and one-click mass-revocation signalling.
Published April 24, 2026
Most expiry outages happen not because no alert was set up — but because it reached the wrong person, or nobody at all. Here is the three-layer alert strategy that actually holds.
Published April 24, 2026
TLS monitoring is not the same as a calendar reminder for expiry dates. It is continuous automated scanning that covers all the ways a certificate and TLS configuration can fail — and alerts you before it happens.
Published April 22, 2026
By 2029 every certificate expires after 47 days. For organisations relying on manual renewal, that means 7–8x more work. Here is the calculation — and when automation pays for itself.
Published April 16, 2026
When a supplier's certificate expires, your integration breaks — and your on-call phone rings. You got no warning and cannot renew it for them. Here is how you get visibility anyway.
Published April 10, 2026
An expired certificate on your CDN edge takes down all traffic behind it — not just one endpoint. Here is why edge certificates are systematically overlooked, and what you do about it.
Published April 10, 2026
A realistic postmortem analysis: how certificate expiry gets past every warning, what it costs to discover in production, and which process changes prevent a recurrence.
Published April 3, 2026
During a cloud migration, endpoints, tooling, and ownership all change — while certificates quietly keep expiring. Here is how to handle the certificate dimension without causing outages mid-migration.
Published March 19, 2026
CLM covers the end-to-end process of managing TLS certificates — from discovery and issuance through monitoring and renewal. This guide explains what the category actually includes and what to look for when evaluating CLM software.
Published January 23, 2026
The CA/Browser Forum has voted: from 2029 certificates are valid for a maximum of 47 days. Manual renewal will not hold. Here is what the transition requires — and how ACME automation makes it manageable now.
Published January 9, 2026
Most teams think they have an overview — then discover blind spots during audits or outages. Here is the methodology for a complete inventory that actually keeps pace with infrastructure changes.
Published December 11, 2025
Spreadsheets tracking supplier certificates become stale faster than they get updated. Here is how to build a process that automatically keeps pace — and gives auditors the documentation they ask for.
Published December 4, 2025
Manual certificate tracking does not scale and fails predictably under pressure. Here is a direct comparison of workload, risk profile, and what is genuinely saved by automating.
Published November 27, 2025
Certificate expiry is almost always a process failure, not a technical one. Here is the structured system that ensures no certificate slips through the cracks — in day-to-day operations or at audit time.
ACME, cert-manager and TLS on nginx, Apache, Azure and F5 — issuing and rotating certificates without downtime.
Published May 2, 2026
Client SSL and Server SSL profiles, cert-key objects, offloading vs bridging — and where the certificates live.
Published April 30, 2026
Application Gateway and Front Door: managed certificates, custom domains, listeners and end-to-end TLS.
Published April 28, 2026
Where TLS is decrypted with offloading, passthrough and bridging — and what it means for certificates and security.
Published April 26, 2026
SSLCertificateFile, SSLProtocol, SSLCipherSuite, stapling and HSTS — a commented VirtualHost.
Published April 24, 2026
Fullchain, modern protocols and ciphers, OCSP stapling and HSTS — a commented nginx configuration.
Published April 22, 2026
Issuer, ClusterIssuer, Certificate and Secret — and ACME HTTP-01 vs DNS-01 — with YAML examples.
Published April 20, 2026
Reload vs restart, graceful reload, rotation behind load balancers and Kubernetes secrets — without dropping connections.
Published April 18, 2026
Why 90-day lifetimes make automation mandatory — and how certbot, win-acme, lego and cert-manager solve it.
Shadow IT, supplier risk and how attackers use your certificate data.
Published April 3, 2026
Before sending a single packet, attackers have a complete picture of your subdomains, exposed services, and forgotten infrastructure — all from public certificate logs. Here is the method, and the counter-move.
Published March 20, 2026
A phishing site targeting your brand can be live within the hour. The TLS certificate it is issued with is logged publicly the moment it appears — that is the early warning most teams never set up.
Published February 20, 2026
Developers spin up services and obtain certificates without informing IT. Certificate Transparency logs keep the receipts — and so does CertControl.
Published February 6, 2026
Your team removed the cloud resource but forgot the DNS record. Now anyone can claim it and serve content under your domain — including phishing and malware. Here is how subdomain takeover works and how to find your exposure.
The fundamentals: certificate types, CAs, chains and how trust works.
Published June 1, 2026
Is Let's Encrypt less secure than an expensive CA? No. Understand DV, OV and EV, the pros and cons of the major certificate authorities — and why the priciest CAs are historically the ones that got distrusted.
Published May 27, 2026
Most certificates are free. What you actually pay for with OV/EV, why free is just as secure, and where the real cost hides.
Published May 20, 2026
Let's Encrypt, ZeroSSL, Buypass, Google Trust Services and SSL.com compared — all free, all ACME, all equally trusted.
Published May 13, 2026
Two popular free CAs compared on price, ACME/EAB, OV/EV, API and support — and when each one wins.
Published May 6, 2026
The full range under one roof: ACME with EAB, free DV plus OV/EV, and code and document signing. When SSL.com makes sense.
Published April 29, 2026
Free DV certificates from Google's own CA via ACME (with EAB) — available to everyone, not just Google Cloud.
Published April 22, 2026
The European free CA: free DV via ACME from a Norwegian CA, historically longer lifetimes, and when EU roots matter.
Published April 15, 2026
Free DV via ACME (with EAB) plus paid OV/EV plans and a REST API. What ZeroSSL offers, and how it differs from Let's Encrypt.
Published April 8, 2026
The world's most widely used CA: free DV via ACME, wildcard via DNS-01, and what the rate limits mean in practice.
Published April 2, 2026
Expiry is not a bug but a security feature. Why certificates expire, why lifetimes are shrinking, and how to avoid downtime.
Published March 31, 2026
The file you send a CA to get a certificate: what it contains, why the private key stays home, and how ACME makes it invisible.
Published March 27, 2026
Revocation sounds like an instant security valve. In practice, most browsers choose to fail open when the OCSP responder is unreachable — and compromised certificates remain functional. Here is what revocation actually gives you.
Published March 17, 2026
Three validation levels, same encryption. What DV, OV and EV each prove — and why the EV badge disappeared from the browser.
Published March 11, 2026
One domain, all subdomains, or a list? What each coverage type covers, the blast-radius trade-off, and when to choose which.
Published March 5, 2026
The trusted third party behind every certificate: what a CA does, how roots and intermediates connect, and what happens when trust is lost.
Published February 27, 2026
Missing intermediate certificates, expired chain links, and cross-signed roots produce errors that work in Chrome, fail in curl — and are nearly impossible to debug without understanding the chain. Here is the model.
Published February 24, 2026
SSL is obsolete, TLS is current — yet we still say 'SSL certificate'. Here is the difference and which versions are safe today.
Published February 13, 2026
Without a CAA record, any of the 100+ publicly trusted CAs can issue certificates for your domain. It takes five minutes to close that gap. The vast majority of organisations have not done it yet.
Published February 12, 2026
The small data file behind the padlock: what a certificate contains, how trust is established, and why it always has an expiry date.
Published February 5, 2026
Validation vs coverage: DV/OV/EV, single/wildcard/SAN, plus self-signed and signing. The full picture and when to use which.
Published January 30, 2026
One certificate, one private key, every subdomain. The convenience is real — but if that key is compromised, your entire subdomain surface is exposed at once. That is the price of simplicity.
Published January 16, 2026
Every TLS certificate issued for a public domain is logged permanently and publicly — by design, not by accident. Here is how CT logs work, and how to use them to monitor your attack surface.
How TLS actually works — handshake, versions, HSTS, SNI and stapling.
Published June 1, 2026
The server delivers a fresh revocation response in the handshake itself — faster for the user and without leaking to the CA who visits the site.
Published May 31, 2026
Always force HTTPS — how the header works, what includeSubDomains and preload mean, and the pitfalls that can lock a domain out.
Published May 29, 2026
How one IP can present the right certificate for many domains — and why SNI still reveals which domain you visit.
Published May 27, 2026
Why a leaked private key cannot decrypt past traffic — ephemeral ECDHE explained, and how to ensure it.
Published May 25, 2026
HTTP on top of TLS — what the padlock protects (confidentiality, integrity, identity) and the four things it does not guarantee.
Published May 23, 2026
Obsolete, vulnerable and excluded from compliance — why the old protocols must be turned off, and the config that does it.
Published May 21, 2026
A faster handshake, always-on forward secrecy and a stack of removed weak algorithms — and what you should configure.
Published May 19, 2026
Client Hello, Server Hello, key exchange and session keys — step by step, plus why TLS 1.3 does it in a single round-trip.
Mutual TLS for service-to-service identity, Kubernetes and Zero Trust.
Published May 17, 2026
Transport layer vs application layer for machine-to-machine — and when to combine them.
Published May 16, 2026
Installation, the .p12 format, the certificate prompt and why the UX rarely scales.
Published May 14, 2026
Wrong CA, expired client cert, missing EKU, incomplete chain — five causes and the fix.
Published May 12, 2026
Why "never trust the network" requires cryptographic identity on every connection.
Published May 10, 2026
So the backend only accepts traffic from the gateway. Concrete setup in nginx and Envoy.
Published May 8, 2026
Service mesh, cert-manager and SPIFFE — three routes to mTLS in a cluster, with YAML that works.
Published May 6, 2026
Same encryption, different trust model. Who authenticates whom, and when to choose each.
Published May 4, 2026
Both parties prove identity with a certificate. How mTLS works, when to use it, and how to set it up.
Cipher suites, key exchange, RSA vs ECDSA and testing your TLS configuration.
Published June 1, 2026
openssl, nmap, testssl.sh and SSL Labs — concrete commands and when to use which.
Published May 31, 2026
The concrete attacks — SWEET32, BEAST, POODLE, FREAK — and how to remove the weak ciphers.
Published May 29, 2026
How two parties agree a secret key over an open line — and what forward secrecy protects.
Published May 27, 2026
Why SHA-1 was broken and retired — and how to check your certificates use SHA-256.
Published May 25, 2026
Why the answer depends on AES-NI — and why you should offer both ciphers.
Published May 23, 2026
Performance, compatibility and security compared — and why dual-cert is often the answer.
Published May 21, 2026
Mozilla's modern and intermediate profiles with ready-made nginx and Apache configurations.
Published May 19, 2026
TLS_AES_128_GCM_SHA256 decoded part by part — key exchange, authentication, cipher and MAC.
Diagnosing and fixing the most common TLS and certificate errors.
Published June 1, 2026
The practical guide: protocol, cipher, chain, SAN, expiry and client cert — from one command.
Published May 30, 2026
Separate trust stores (cacerts, Windows store) and missing intermediates — find the cause and fix it.
Published May 28, 2026
Chrome's name for a hostname mismatch — why CN is dead, and how to fix it with SAN.
Published May 26, 2026
TLS inspection, internal CAs and the right way to fix it — without turning validation off.
Published May 24, 2026
The most common production TLS error: a missing intermediate — and the permanent fix.
Published May 22, 2026
Why a valid certificate gets rejected — SAN vs CN, www vs apex and wildcard limits.
Published May 20, 2026
What the error means, how to confirm the dates, and the trap of an expired intermediate.
Published May 18, 2026
Six causes of a failed TLS handshake — and the commands that reveal which one you are facing.
Certificates, supplier documentation, and audit readiness typically land on whoever said yes once five years ago. These articles are for you — to make the process clearer and the outcome defensible.
Already feeling the pain? See what the product concretely solves — or book 20 minutes and talk to us about your setup.