What Other Tools Don't Show You

Traditional tools say "valid" or "expired." We compute a composite trust score using Φ (cryptographic evidence strength) × Ψ (time-decay freshness). Click any certificate row to see the full breakdown.

Expiry Isn't Binary

A cert expiring in 7 days on a public API is more urgent than one expiring tomorrow on an internal dev server. Our freshness score (Ψ) factors in time-to-expiry with exponential decay — red badges mean action needed NOW.

Certificate Inventory

Monitored SSL/TLS certificates with Δtomic Trust^TM scores

Total Certs

52

High Trust

31

Medium Trust

12

Low Trust

6

Critical

3

Certificate	Subject	Status	Composite Trust	Φ (Evidence)	Ψ (Freshness)	Expires	Actions

The "Monster Cert" Problem

Certificates with 50+ SANs are a hidden blast radius. If one private key is compromised, the attacker owns ALL those domains. Large red squares = immediate attention needed. Most certificate tools completely ignore SAN sprawl risk.

Revocation Catastrophe Risk

If you need to revoke a 100-SAN certificate, you're pushing a CRL/OCSP update for 100 domains simultaneously. That's 100 potential service disruptions. The heatmap shows which certs would cause the most damage.

How to Read the Heatmap

Size = SAN count (bigger squares have more domains). Color = risk level (red is critical, green is safe). Click any square to see the certificate details.

SAN Risk Analysis

Visualize SAN sprawl and identify "monster certs"

The "Monster Cert" Problem

Certificates with 50+ SANs are a hidden blast radius. If one private key is compromised, the attacker owns all those domains. Large red squares in the heatmap = immediate attention needed. Most certificate tools completely ignore SAN sprawl risk.

Total Certificates

52

Monster Certs (≥50 SANs)

3

High Risk

7

Max SAN Count

127

Top Certificates by SAN Count

Live TLS Observation

Not just certificate inventory — we observe actual TLS handshakes in production. See which cipher suites are negotiated and catch mismatched certificates before they cause outages. The "last seen" column shows real observation timestamps.

TLS 1.0/1.1 = Compliance Failure

PCI-DSS 3.2.1 and most security frameworks require TLS 1.2+. Yellow/red badges instantly show legacy protocol violations. Filter to see only endpoints still negotiating old TLS.

Cipher Suite Intelligence

We track which cipher suite each endpoint actually negotiates, not just what's offered. Spot weak ciphers (RC4, 3DES, CBC) and ensure AEAD ciphers are being used in production.

Live TLS Posture

Not just certificate inventory — we observe actual TLS handshakes in production. See which cipher suites are negotiated, detect TLS 1.0/1.1 stragglers, and catch mismatched certificates before they cause outages. The "last seen" column shows real observation timestamps.

Endpoint Observations

Live TLS endpoint monitoring and certificate discovery

Endpoint	Certificate	TLS Version	Cipher Suite	Last Seen	Status

Compliance-Ready Cryptographic Proof

Each snapshot creates a Merkle tree of your certificate inventory with BLAKE3 hashing. Auditors can verify the exact state of your PKI at any point in time — tamper-evident by design. Try it: Click "Create Snapshot" and watch the proof generate.

Point-in-Time Proof

SOC2/PCI-DSS auditors ask: "What was your certificate posture on March 15th?" Instead of scrambling for screenshots, show them the cryptographic snapshot. Each snapshot includes a manifest hash that proves nothing was altered.

Drift Detection (Δ Operator)

Compare any two snapshots to see exactly what changed: new certs, removed certs, renewed certs. The Δ (divergence) operator powers alerts when your PKI drifts from baseline.

Compliance-Ready Proof

Each snapshot creates a Merkle tree of your certificate inventory with BLAKE3 hashing. Auditors can verify the exact state of your PKI at any point in time. Try it: Click "Create Snapshot" and watch the cryptographic proof generate.

Trust Snapshots

Cryptographic snapshots for audit trails and tamper detection

About Snapshots

BLAKE3 Hashing

Fast cryptographic hashes for tamper detection

Merkle Tree

Efficient proof of asset inclusion

JSON Persistence

Snapshots saved to ./snapshots/ for audit

Snapshot History

SBOM-Ready Export

Executive Order 14028 requires Software Bill of Materials. Our CycloneDX export includes certificates as first-class components with trust scores. Drop this into your existing SBOM pipeline — no custom integration needed.

Excel/Sheets Compatible

Need to share with management? The CSV export includes all computed fields: trust scores, days to expiry, SAN count, risk levels. Import directly into your reporting tools.

CI/CD Pipeline Ready

The JSON export matches our API response format exactly. Automate certificate posture checks in your deployment pipeline — fail builds when trust scores drop below threshold.

SBOM-Ready Export

Executive Order 14028 requires Software Bill of Materials. Our CycloneDX export includes certificates as first-class components with trust scores. Drop this into your existing SBOM pipeline — no custom integration needed.

Export Data

Download certificate inventory and trust data

CSV Export

Spreadsheet format

Export all certificates with trust scores, expiration dates, and metadata.

JSON Export

Structured data

Full JSON export with complete certificate details and kernel states.

Markdown Report

Documentation

Generate a formatted markdown report suitable for documentation.

Export Preview

API-First Design

Every feature in this dashboard is powered by the same REST API you can use. Build custom integrations, automate workflows, embed trust scores in your existing tools. Full OpenAPI spec available.

Simple API Key Auth

No OAuth complexity. Just pass your API key in the X-API-Key header. Try the endpoints in the explorer below.

API Explorer

Interactive OpenAPI documentation and testing

API Key: demo-key-123

Response

// Click "Try it out" on any endpoint to see the response

Certificate Inventory

SAN Risk Analysis

Top Certificates by SAN Count

SAN Risk Heatmap

Risk Distribution

Endpoint Observations

Trust Snapshots

About Snapshots

BLAKE3 Hashing

Merkle Tree

JSON Persistence

Snapshot History

Export Data

CSV Export

JSON Export

Markdown Report

Export Preview

API Explorer

Response

Welcome to SSL Trust Governor

Certificate Inventory

SAN Risk Analysis

Top Certificates by SAN Count

SAN Risk Heatmap

Risk Distribution

Endpoint Observations

Trust Snapshots

About Snapshots

BLAKE3 Hashing

Merkle Tree

JSON Persistence

Snapshot History

Export Data

CSV Export

JSON Export

Markdown Report

Export Preview

API Explorer

Response