TLSCertInventory — TLS Certificate Fleet Inventory
22 TLS certificates × SAN coverage, days-to-expire, ACME provider, key algorithm + size, OCSP stapling, Certificate Transparency log status. Surfaces 4 expiring <30 days + 2 with weak crypto (RSA-2048 — should migrate to ECDSA P-256 or RSA-4096) + 1 missing-CT-log entry.
What it is
The cert-fleet audit every modern infrastructure team needs. cert-manager handles 90% via ACME auto-renew; the remaining 10% (manual / customer-pinned / internal-CA) is where the failures live.
What’s in it
- 22 certs across public-facing (Let’s Encrypt + cert-manager), internal mTLS (HashiCorp Vault PKI), customer-managed (DigiCert manual), legacy
- Per cert: CN, SANs, issuer, provider, key algorithm, days-to-expire, auto-renew flag, OCSP stapling, CT log status
- Worst-offender findings: customer-x cert expiring in 24d on RSA-2048 manual; old vendor cert in 14d (let expire); legacy domain not in CT log
Why this shape
RFC 8555 (ACME) automates 90%. RFC 9162 (Certificate Transparency v2) makes every public cert auditable. PCI-DSS v4.0 Req 4.2 mandates strong crypto + cert hygiene. NIST SP 800-131A deprecates SHA-1 and RSA-1024.
How it ships
Single HTML file, ~13KB. Zero dependencies. 22 certs × provider/status filters + per-cert detail in 100 lines of vanilla JavaScript.