CertForge discovers every TLS certificate in your environment — including ones your team didn't issue — enforces policy before new certs reach production, and maintains a cryptographic audit trail for every decision.
Certs issued by shadow IT. Certs from acquisitions. Wildcards someone provisioned through a cloud console three years ago. When one expires on a Friday night, it's not a certificate problem — it's an outage.
Your cert inventory lives in spreadsheets, email threads, and the memory of people who've left. CT logs have been recording everything — you just haven't been looking.
Security has a cert policy. Nobody follows it. There's no technical control between "developer wants a wildcard cert" and "wildcard cert is in production."
An auditor asks "who approved this certificate?" You have no idea. The approval happened in Slack, or didn't happen at all. SOC 2 finding incoming.
Three capabilities that work together: find what you have, govern what you allow, prove what you did.
CertForge scans Certificate Transparency logs, actively probes your domains over TLS, and pulls inventory from your existing CAs via connector integrations (DigiCert, Sectigo, internal CAs). Every discovered cert gets a governance status: Tracked (acknowledged), Untracked (found but not reviewed), or Ungoverned (no matching policy).
Discovered certs are automatically evaluated against your Trust Profiles and flagged if they violate policy — wildcard where none is allowed, validity exceeding your maximum, wrong extended key usage.
Domain Trust Profiles define exactly what's allowed: which CA, which domains, wildcard permissions, key requirements, allowed EKU, and maximum validity. Every certificate request — from a developer's certbot, a Kubernetes cert-manager resource, or your CI pipeline — is evaluated against the matching profile before any cert is issued.
Approval workflows put a human in the loop for production certs. Auto-approve for dev. The policy is enforced either way.
Every issuance, approval, rejection, and renewal is written to a cryptographically hash-chained audit log. Each record's SHA-256 hash covers the record content plus the previous record's hash — making tampering detectable. Filter by org, event type, actor, or date. Export as CSV or JSON for your GRC tooling. "Who approved this cert?" is answerable in under 30 seconds.
Import your existing cert inventory from DigiCert, Sectigo, or internal CAs. One pane of glass across every CA you use.
Native external issuer for Kubernetes. Your existing Certificate manifests work unchanged — policy is enforced transparently.
Configurable alert rules at 30, 14, and 7 days. Service owners get targeted notifications for their own certs. No more 2am pages.
Four-eyes control for cert issuance. Configurable required approvals, mandatory justification, escalation contacts, and auto-void timeouts.
Group hostnames under named services with owner lists. Service-level coverage tracking and expiry alerts go directly to the right people.
Built-in root and intermediate CA for private domains. No external CA needed for internal PKI. Keys encrypted AES-256-GCM at rest.
SOC 2, ISO 27001, PCI-DSS, and HIPAA framework assignments. Scheduled evidence bundles. Subscribe to CSV reports from your profile.
Forward every audit event to your SIEM via HTTPS webhook or UDP syslog in JSON or CEF. Slack, Teams, and PagerDuty for alerts.
Single Linux binary + PostgreSQL. Full data sovereignty. Air-gap compatible. Annual license. Quick-start in 10 minutes →
Venafi starts at $50,000–$200,000+ per year. CertForge gives your PKI team the same core capabilities — discovery, policy enforcement, approval workflows, cryptographic audit trail — without the enterprise sales cycle.