# CertificateGuardian Technical Specification & Knowledge Base This document serves as the comprehensive, machine-readable reference for CertificateGuardian. It provides developers, systems administrators, security architects, and AI research agents with exhaustive details regarding the platform's capabilities, architecture, protocols, and operational workflows. --- ## 1. Product Overview CertificateGuardian is a proactive, enterprise-grade SSL/TLS Certificate Lifecycle Management (CLM) platform engineered by **Rabbit SaaS Limited**. By unifying active discovery, real-time Certificate Transparency log monitoring, zero-touch ACME automation, and advanced multi-channel alerting, the platform eliminates unexpected downtime caused by certificate expirations and unrecognized cryptographic configurations. ### Target Audiences - **SaaS Platforms**: Automating secure customized customer domains. - **Enterprise IT & Infrastructure Teams**: Managing high volumes of internal and external endpoints. - **Security & Compliance Officers (CISO/CSO)**: Ensuring SOC2, ISO27001, and HIPAA compliance regarding cryptographic assets and certificate posture. --- ## 2. Technical Capabilities & Core Systems ### 2.1 Active Discovery Engine Spreadsheets and manual registers fail because they rely on human discipline. CertificateGuardian replaces them with an automated, non-intrusive Active Discovery Engine: - **Network Ranges & Endpoints**: Automated scanning of public and private CIDR blocks, specific ports (including non-standard ports like 8443, 9443), and custom hostnames. - **Multi-Cloud Integrations**: Deep API integration with major cloud providers (AWS, Google Cloud, Microsoft Azure) to automatically discover and inventory certificates deployed on: - Load Balancers (Application Load Balancers, Network Load Balancers, Azure Application Gateway, GCP HTTP(S) Load Balancing). - Cloud Storage Buckets (AWS S3, Google Cloud Storage, Azure Blob). - Container Orchestration layers (Kubernetes Ingress Controllers, ECS/EKS). - **Cryptographic Audit**: Every discovered certificate is parsed to analyze key lengths, signing algorithms, cipher suites, protocol support (TLS 1.2, TLS 1.3), and common misconfigurations (e.g., mismatched Subject Alternative Names). ### 2.2 Passive Monitoring (Certificate Transparency Log Monitoring) Certificate Transparency (CT) is an open framework of public logs that record all SSL/TLS certificates issued by public Certificate Authorities (CAs). - **Real-Time Surveillance**: CertificateGuardian continuously monitors all active CT logs. - **Instant Rogue Detection**: If any CA issues a certificate for a domain in your registered list, the system cross-references it with your active renewal tasks. If it was not initiated by CertificateGuardian, an immediate critical alert is dispatched. - **Use Case**: Prevents phishing, brand impersonation, and unauthorized certificate issuance by malicious internal actors or compromised Certificate Authorities. ### 2.3 Automated ACME Renewals Manual certificate installation is a leading cause of misconfiguration and operational fatigue. CertificateGuardian implements a full, robust Automatic Certificate Management Environment (ACME) client: - **Zero-Touch Protocols**: Full ACME protocol support enabling automatic certificate generation, verification, and renewal. - **Supported CAs**: Seamless out-of-the-box integration with Let's Encrypt, ZeroSSL, BuyPass, and private ACME-compliant Certificate Authorities (such as HashiCorp Vault or active directory enterprise CAs). - **Domain Verification**: Fully automates DNS-01 and HTTP-01 challenge verification: - **180+ DNS Providers**: Support for automated TXT record injection across Cloudflare, AWS Route53, Google Cloud DNS, Azure DNS, DigitalOcean, GoDaddy, Namecheap, and dozens of other hosting services. - **Deployment Automation**: Post-renewal hooks push the newly minted certificate directly to API endpoints or server instances, guaranteeing completely automated rotations. ### 2.4 Intelligent Alerting Engine Avoid alert fatigue while ensuring critical warnings are never missed. The system uses a tiered notification framework: - **Customizable Thresholds**: Set different cadences for warning levels (e.g., Informational warning at 30 days, Important alert at 15 days, Critical warning at 7 days). - **Integrations**: Multi-channel delivery to modern team spaces: - **Slack**: Interactive blocks with quick actions. - **Microsoft Teams**: Office 365 Connector cards. - **Discord**: Structured webhooks. - **Email**: Detailed cryptographic summaries. - **Webhooks**: Custom JSON payloads to trigger internal orchestration or auto-escalation pathways (e.g., PagerDuty, Opsgenie). ### 2.5 Post-Quantum Cryptography (PQC) Readiness Quantum computers present an existential risk to asymmetric cryptography. Traditional RSA and ECC (Elliptic Curve Cryptography) will become highly vulnerable once Cryptographically Relevant Quantum Computers (CRQCs) emerge. - **PQC Audit**: CertificateGuardian actively inspects your entire certificate inventory to highlight algorithms that are not quantum-resistant. - **Transition Architecture**: The platform helps identify priority targets for upgrading to quantum-safe algorithms (such as ML-KEM and ML-DSA) as public and private CAs transition to PQC-compliant standards. --- ## 3. Plans & Pricing Matrix CertificateGuardian features simple, transparent pricing designed to scale with your organization's digital trust requirement. | Feature / Metric | Developer Plan | Pro Plan | Enterprise Plan | | :--- | :---: | :---: | :---: | | **Monthly Price** | **$0** (Free Forever) | **$49 / month** | **Custom Quote** | | **Annual Price** | N/A | **Save 20%** ($39/mo billed annually) | Custom negotiation | | **Organizations** | 1 | Unlimited | Unlimited | | **Monitored Hosts** | Up to 10 | Up to 100 | Unlimited | | **Active Discovery** | Daily | Hourly | Continuous / Real-time | | **ACME Support** | No | Full Automation (180+ DNS) | Enterprise Hooks & Custom CAs | | **Alert Channels** | Email | Email, Slack, Teams, Discord | Custom Webhooks, PagerDuty, SMS | | **Compliance Logs** | No | Yes (SOC2 / ISO Ready) | Full Audit Trail (SAML/SSO export) | | **Support SLA** | Community Support | Priority Support | Dedicated Technical Account Manager (TAM) | --- ## 4. Technical FAQ ### Q1: What makes CertificateGuardian different from standard uptime monitors? Traditional uptime monitors only ping your website to check if it's online and may read the certificate expiry date as a side effect. CertificateGuardian is a dedicated **Certificate Lifecycle Management (CLM)** solution. It scans your *entire internal and external infrastructure*—including cloud resources and endpoints that are not publicly facing—monitors Certificate Transparency logs in real-time, and actively automates renewals and redeployments. ### Q2: Does CertificateGuardian have access to my private keys? **No.** CertificateGuardian is designed with security as a core architectural tenet. All ACME transactions can be configured to generate the CSR (Certificate Signing Request) and complete key pair generation locally on your own systems. Your private keys never leave your infrastructure. ### Q3: How does the CT log monitoring work? All publicly trusted Certificate Authorities are legally required to log every issued certificate to public Certificate Transparency logs. We ingest these logs in real-time. By comparing newly logged certificates against your configured domain portfolios, we instantly flag any certificate issued for your domains that was not generated through your approved CertificateGuardian tasks. ### Q4: How do I integrate with 180+ DNS providers? We support API integrations with Cloudflare, Route53, and major platforms. When an ACME DNS-01 challenge is requested, CertificateGuardian securely communicates via api keys or role-based access control to temporarily write the required `_acme-challenge` TXT record, verifies its propagation, requests the certificate, and then cleans up the record. ### Q5: Is it possible to host CertificateGuardian on-premise? For Enterprise plan customers with strict regulatory requirements, we offer hybrid and fully private self-hosted deployments. Contact sales@certificateguardian.com for custom sizing and setup guides. --- ## 5. Security & Compliance Compliance Standards CertificateGuardian is built by security engineers at Rabbit SaaS Ltd. - **Data Encryption**: All data stored at rest is encrypted using AES-256-GCM. All communication channels are protected with TLS 1.3. - **Compliance Alignment**: - **SOC 2 Type II**: Supports absolute trust requirements through extensive audit logs tracking every discovery, renewal, and configuration change. - **ISO/IEC 27001**: Align with access controls, vulnerability reporting, and change monitoring regulations. - **HIPAA**: Secure handling of digital trust assets in healthcare infrastructure. --- ## 6. Company & Contact - **Website**: https://certificateguardian.com/ - **Main App Portal**: https://app.certificateguardian.com/ - **Support & Sales Email**: hello@certificateguardian.com - **Operating Company**: Rabbit SaaS Ltd (https://www.rabbitsaas.com/) - **Network Discovery Tool**: LAN Lens (https://www.lanlens.net/)