BrainCert
In productionCertificate lifecycle management
Issues, renews and installs TLS certificates across an estate automatically — by orchestrating public certificate authorities, not by becoming one.
Why BrainCert exists
Nobody has an interesting certificate problem. They have a boring one that happens at 2am on a Sunday, because a certificate nobody owned expired on a system nobody remembered. BrainCert takes the whole lifecycle — request, prove, issue, install, renew — and runs it on a schedule.
It is deliberately not a certificate authority and signs nothing itself. Running your own CA means every browser and every partner has to be told to trust you; orchestrating public authorities means everything already does. The hard problem is not signing certificates. It is keeping hundreds of them alive across dozens of systems, and that is the one this solves.
In operation
What is running today
The precise scope of its use right now — not what it could do.
- Running in production on Braincap infrastructure
- Issuing and automatically renewing certificates through public authorities
- Installing them onto hosting panels and application delivery controllers
- No external tenants yet
Capabilities
What it does
Renewal you never think about
Certificates renew well ahead of expiry on a daily cycle, with escalating alerts if anything is still outstanding as the date closes in. The failure mode this removes is the only one that matters: nobody noticed.
Validation over DNS, so nothing gets exposed
Domain control is proven by DNS record. The system being certified never has to be reachable from the internet to get a certificate — which is what makes this work for internal systems and wildcards alike.
It installs the certificate too
Issuing is half the job. BrainCert pushes the result onto the systems that terminate TLS and replaces the certificate in place, so existing configuration survives — no re-binding, no downtime, no change window.
More than one authority, behind one interface
Public certificate authorities sit behind a common interface, so moving between them — or using different ones for different purposes — is a configuration change rather than a project.
Two people for the certificates that matter
Ordering and approval are separate roles, so no single account can issue a certificate for critical infrastructure on its own.
Built to be audited
Private material is encrypted at rest and scrubbed from memory after use. Every action lands in an audit trail with no edit or delete path — because the question after an incident is always what happened, and the answer has to be older than the incident.
Roadmap
What comes next
- Additional certificate authorities behind the same interface
Interested in BrainCert?
Tell us about the problem you are trying to solve — an engineer answers, not a form.