Finally Understand PKI & TLS
See It In Action
Interactive visualizations that make complex concepts click
Visual Handshakes
Watch TLS packets fly between client and server. Understand exactly when encryption kicks in.
Read the GuideChain Validation
See how browsers traverse the trust chain from leaf to root, and why intermediate certs matter.
Read the GuideCertificate past validity
Failure Scenarios
Simulate expired certs, revocations, and MITM attacks to learn how to troubleshoot real incidents.
Read the GuideLearn By Doing
Visual, step-by-step demonstrations of PKI concepts. Click through to understand how things actually work.
Java Keytool Commands
Essential keytool commands for managing Java keystores. Import, export, list, and delete certificates and keys.
TLS Handshake Step-by-Step
Step through the TLS 1.2 and 1.3 handshake message by message. See ClientHello, ServerHello, and more.
TLS Cipher Suite Decoder
Decode cipher suite strings like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Understand key exchange, encryption, and MAC.
Code Signing Certificates
See how code signing certificates verify software authenticity and integrity. Interactive signing and verification demo.
SSH Certificate Anatomy
Explore SSH certificate structure interactively. Understand principals, validity, extensions, and how SSH certificates differ from X.509.
How TLS Works
Big-picture overview of how TLS secures web traffic. See the handshake, key exchange, and encrypted data flow.
TLS Version Comparison
Compare TLS 1.0, 1.1, 1.2, and 1.3. Understand security improvements and migration requirements.
DV vs OV vs EV Certificates
Compare Domain, Organization, and Extended Validation certificates. Understand validation requirements and use cases.
Encryption Fundamentals
Learn symmetric vs asymmetric encryption fundamentals. Interactive demo shows AES, RSA, and why TLS uses both.
SSL/TLS Diagnostic Troubleshooter
Diagnose SSL/TLS connection problems systematically. Interactive troubleshooter for common issues.
Start Learning
In-depth guides for real-world PKI challenges. From installation to troubleshooting.
HAProxy SSL Certificate Configuration
Learn how to configure SSL/TLS certificates in HAProxy. Covers SSL termination, passthrough, cipher suites, and achieving an SSL Labs A+ grade.
Extended Key Usage (EKU) Explained
What EKU is, why it matters, and how to check yours. Covers common EKUs, OID system, and the ClientAuth sunset.
NIST Certificate Management
Map NIST key management and cryptography standards to certificate lifecycle management. Covers SP 800-57, 800-52, 800-131A with practical CLM implementation guidance.
DCV Methods Sunset Timeline
Complete timeline of CA/Browser Forum ballots SC-080, SC-090, SC-091 eliminating 11 domain validation methods by 2028. Email, phone, and WHOIS-based validation are being sunset.
WoSign/StartCom 2016: Lies, Backdating, and Secret Acquisitions
The story of WoSign's systematic deception - backdating certificates, hiding acquisitions, and the consequences of getting caught.
Automating DNS-01 with DNS APIs
Complete guide to DNS-01 automation with DNS provider APIs. Learn CNAME delegation, security best practices, and provider-specific configurations for Cloudflare, Route53, Azure DNS, and more.
F5 Certificate Installation
Step-by-step guide to importing certificates, keys, and chains into F5 BIG-IP. GUI and tmsh methods.
F5 SSL Passthrough vs Offloading vs Bridging
Understand when to use SSL passthrough, offloading, or bridging on F5 BIG-IP. Configuration examples, use cases, and security trade-offs.
Client Authentication EKU Sunset
Chrome and major CAs are removing Client Authentication EKU from public TLS certificates by June 2026. Learn who's affected, key deadlines, and migration options.
SSH Certificate Authority Setup
Create your own SSH CA with native OpenSSH. Key generation, protection levels, distribution, signing workflow, and operational procedures.
Explore Our Guide Series
Multi-part deep dives into complex PKI topics
CDN SSL Troubleshooting
Cloudflare, Akamai, AWS CloudFront
Microsoft ADCS Deep Dive
Active Directory Certificate Services for Enterprise PKI
F5 BIG-IP SSL Series
Master SSL/TLS on F5 load balancers
The Venafi Series
Machine identity management explained
What's New
Here's what we've been building for you
New: DNS-PERSIST-01 Guide + Security Analysis Blog Post
Comprehensive guide to the new persistent ACME DNS validation method (SC-088v3) plus a companion blog post analyzing 5 security assumptions that change with persistent authorization
DNS-PERSIST-01 is the biggest change to ACME certificate validation since DNS-01 was introduced. The CA/Browser Forum approved it unanimously, Let's Encrypt announced support, and production rollout is expected Q2 2026. We published a full guide covering how it works, how it compares to DNS-01, scope controls, security tradeoffs, implementation timeline, and a decision framework to help you decide when to adopt. We also wrote a companion blog post that goes deeper on the security side — five specific assumptions that change when your certificate validation becomes persistent, and what your team should do about each one. Both resources include video walkthroughs.
DNS-PERSIST-01 GuideShare Checklists & Runbooks with Your Team
All checklists and runbooks now have LinkedIn, X, and copy-link sharing buttons so you can easily send them to colleagues
Every checklist and runbook on FixMyCert now has social sharing buttons built right into the sticky progress bar. Share a checklist with your team on LinkedIn, post it on X, or copy the link to drop into Slack or email. This was one of the most requested features — when you find a checklist that solves a real problem, you should be able to share it in two clicks.
All Checklists & RunbooksNew: 47-Day Readiness Audit Checklist (82-Point Assessment)
A structured audit to assess whether your PKI infrastructure is ready for 47-day certificate validity — covering automation, DCV, monitoring, and team readiness
With the March 15, 2026 Phase 1 deadline approaching, we built a comprehensive 82-point readiness audit that walks you through every area that matters: certificate discovery, renewal ownership, DCV readiness, ACME pipelines, deployment automation, monitoring, and organizational preparedness. Unlike a generic compliance checklist, this one is specifically designed around the SC-081v3 timeline. It includes a built-in readiness scoring guide so you can quickly assess where you stand — Ready, On Track, At Risk, or Critical — and prioritize accordingly. We also completely rewrote the F5 BIG-IP SSL Certificate Checklist with 52 items covering tmsh commands alongside GUI steps, PFX conversion instructions, chain warnings, and a full FAQ section.
47-Day Readiness AuditStay Compliant
Certificate validity periods are shrinking. Track deadlines and requirements with our live compliance hub.
Practical Tools
Validate CSRs, diagnose issues, and track compliance. All the tools you need in one place.
PKI Priority Planner
Find out if your team is working on the right PKI priorities. Get a personalized action plan based on your environment and compliance deadlines.
CSR Checker
Validate and decode Certificate Signing Requests. Check for common issues before submitting to a CA.
PKI Troubleshooter
AI-powered diagnostic tool for SSL/TLS certificate issues. Get step-by-step solutions.
Practical TLS by Ed Harmoush
The most comprehensive TLS course available. Real Wireshark captures, hands-on labs, and explanations that actually make sense. Use code FixMyCert for 50% off.
Disclosure: I earn a commission if you purchase through this link, at no extra cost to you.
Built for IT Professionals
DevOps & SREs
Debug ingress issues and automate certificate rotation with confidence.
Security Engineers
Visualize threat models and explain PKI concepts to stakeholders.
Network Engineers
Deep dive into TLS 1.2 vs 1.3, ciphers, and handshake performance.
