Nnineincertpulse.hashnode.dev·May 10 · 11 min readWildcard vs SAN Certificates: A Decision Guide for Engineers Who've Been Burned by BothMost teams pick a wildcard certificate the same way they pick coffee: whatever the team running the infrastructure happened to grab first. Then someone leaks the key, and you discover that one .pem file was authoritative for 200 subdomains, including...00
Nnineincertpulse.hashnode.dev·May 8 · 11 min readSC-081v3 and the End of the One-Year Certificate: A Field Guide to the 2026-2029 Lifetime ReductionsSC-081v3 is the CA/Browser Forum ballot that staged a phased reduction of public TLS certificate lifetimes from 398 days down to 47 days between March 2026 and March 2029. Apple proposed it. The CAs voted against it. It passed anyway, and it's alread...00
Nnineincertpulse.hashnode.dev·May 6 · 10 min readThe Certificate Inheritance Problem: Taking Over a Cert Inventory You Didn't BuildInheriting a certificate inventory is rarely the clean handover anyone promises. You get a half-maintained spreadsheet, a Slack thread from 2022, and someone saying "I think Marcus used to handle the F5 stuff." Within a week you'll discover three cer...00
Nnineincertpulse.hashnode.dev·May 4 · 10 min readHow We Cut CertPulse's Scan Time From 47 Minutes to 90 Seconds: A Concurrency PostmortemCertPulse cut TLS certificate scan time from 47 minutes to 90 seconds across an 1,800-certificate fleet spanning AWS, Azure, and GCP. The single biggest win was not concurrency. It was connection reuse plus DNS caching plus bounded worker pools, in t...00
Nnineincertpulse.hashnode.dev·May 2 · 10 min readmTLS in Production: A Hands-On Guide to Service-to-Service Authentication Without the FootgunsMutual TLS (mTLS) authenticates both sides of a service-to-service connection using cryptographic certificates, blocking lateral movement and service impersonation inside your network. After being on-call for NTP-drifted VMs rejecting handshakes at 3...00