Certificate Intelligence — Overview¶
Blackfort Certificate Intelligence is a central certificate inventory for the inventory, assessment and governance of certificates and PKI dependencies. The product operates strictly read-only and non-invasively — it makes no changes to production systems and never stores private keys, only the public certificate parts and metadata.
Why Certificate Intelligence?¶
Certificates expire unnoticed, are scattered across many CAs, systems and teams, and nobody has the complete picture of which certificate carries which critical function. Certificate Intelligence establishes this transparency:
- A single inventory across all sources — internal CAs, cloud key stores, network scans and public Certificate Transparency logs in one view.
- Governance per certificate — who is responsible, which critical or important function it carries, whether it is actively used or orphaned.
- Compliance evidence — evaluations with reference to DORA (Art. 8/9/28–30), expiry and revocation status monitoring, detection of weak cryptography.
Core features¶
| Area | Function |
|---|---|
| Inventory | Central register, primary key = SHA-256 fingerprint; re-import as upsert (governance fields are preserved) |
| CA connectors | Microsoft ADCS, EJBCA, HashiCorp Vault PKI, smallstep step-ca, Azure Key Vault |
| Active discovery | Own lightweight TLS scanner (host:port, port ranges), Certificate Transparency log monitoring |
| Air-gap | File export/import (exchange-v1), monitored auto-import folders — for isolated segments with no network path |
| Governance | Owner, critical/important function, active/orphaned, free custom columns, audit trail |
| Compliance | DORA evaluations, expiry escalation by service class, weak crypto, key reuse, orphans |
| Revocation status | CRL and OCSP check per certificate (good/revoked/unknown), also via manual CRL upload (air-gap) |
| Chains/trust | Resolution of the issuer chain (AKI/SKI), intermediate/root certificates as their own objects |
| Notification | Microsoft Teams daily digest (expiry, weak crypto, orphans, revoked-but-active) |
| Export | CSV and XLSX from every view |
| Security | Web login with roles (admin writes, viewer reads); agents with API token |
Architecture at a glance¶
CA exporter / scanner / CT log Central web register
(read-only, per platform) (web UI + database)
──────────────────────────── ──────▶ ─────────────────────
ADCS Azure KV Vault PKI • Parse & enrich
step-ca EJBCA TLS scanner HTTPS • Governance layer
─or─ • DORA evaluations
File • Revocation status, CT, alerts
(air-gap)
- Lean, minimal exporters per CA platform produce lists in a stable, versioned exchange format. All logic resides in the register.
- Two transport paths: HTTPS push with API token (online) or file export/import (air-gap/offline). Same format, same parser.
- Delivery of the register: as a Docker Compose stack or as a VM appliance (OVA) — both fully air-gap capable.
Continue to …¶
- User guide — day-to-day work with the web register (inventory, governance, evaluations, notifications).
- Installation guide — setup of register, exporters and scanner (restricted).
Read-only, non-invasive
Certificate Intelligence establishes transparency over the certificate landscape without intervening in production systems. It is an inventory, not a key store — private keys are never read, transmitted or stored at any point.