Skip to content
Braincap

← All products

BrainCert

In production

Certificate lifecycle management

Issues, renews and installs TLS certificates across an estate automatically — by orchestrating public certificate authorities, not by becoming one.

Why BrainCert exists

Nobody has an interesting certificate problem. They have a boring one that happens at 2am on a Sunday, because a certificate nobody owned expired on a system nobody remembered. BrainCert takes the whole lifecycle — request, prove, issue, install, renew — and runs it on a schedule.

It is deliberately not a certificate authority and signs nothing itself. Running your own CA means every browser and every partner has to be told to trust you; orchestrating public authorities means everything already does. The hard problem is not signing certificates. It is keeping hundreds of them alive across dozens of systems, and that is the one this solves.

In operation

What is running today

The precise scope of its use right now — not what it could do.

  • Running in production on Braincap infrastructure
  • Issuing and automatically renewing certificates through public authorities
  • Installing them onto hosting panels and application delivery controllers
  • No external tenants yet

Capabilities

What it does

Renewal you never think about

Certificates renew well ahead of expiry on a daily cycle, with escalating alerts if anything is still outstanding as the date closes in. The failure mode this removes is the only one that matters: nobody noticed.

Validation over DNS, so nothing gets exposed

Domain control is proven by DNS record. The system being certified never has to be reachable from the internet to get a certificate — which is what makes this work for internal systems and wildcards alike.

It installs the certificate too

Issuing is half the job. BrainCert pushes the result onto the systems that terminate TLS and replaces the certificate in place, so existing configuration survives — no re-binding, no downtime, no change window.

More than one authority, behind one interface

Public certificate authorities sit behind a common interface, so moving between them — or using different ones for different purposes — is a configuration change rather than a project.

Two people for the certificates that matter

Ordering and approval are separate roles, so no single account can issue a certificate for critical infrastructure on its own.

Built to be audited

Private material is encrypted at rest and scrubbed from memory after use. Every action lands in an audit trail with no edit or delete path — because the question after an incident is always what happened, and the answer has to be older than the incident.

Roadmap

What comes next

  • Additional certificate authorities behind the same interface

Interested in BrainCert?

Tell us about the problem you are trying to solve — an engineer answers, not a form.