undefined | Better HN

0 pointschucksta11mo ago0 comments

How does it monitor a cert in an air-gap network?

0 comments

3 comments · 2 top-level

M95D11mo ago· 1 in thread

Why would an air-gapped network need public certs? Or how would they update them except manually? Then why would they automate the monitoring?

Just issue them locally (within the airgapped network) and keep track of them based on issue date.

ignaciovdk11mo ago

That’s a fair question, and in theory, yes, you could manually track internal certs based on issue date.

But in practice, large or long-running environments rarely have clean cert inventories. You get:

- Internal CA sprawl (and no single source of truth)

Certs embedded in keystores, containers, or staging systems that nobody owns anymore

- “Temporary” certs that live on for years - People leaving without handing off cert responsibilities

We’re not automating monitoring because it’s hard, we’re doing it because teams forget.

And forgetting is what causes outages, broken mTLS, and failed compliance audits, even in air-gapped setups. I have a few horror story on PCI environments.

Automation helps catch the edge cases before they become fire drills.

ignaciovdk11mo ago

We're building a lightweight collector (RTCollector) you can run inside the air-gapped environment. It can read from local cert stores (JKS, PKCS#12, PEM, etc.), extract metadata like expiration date and fingerprint (no private keys or cert contents), and send it out securely when outbound connectivity is available.

We already have an api endpoint in place, so you can push data using Python, Bash, curl, or anything else that fits your workflow. No agent required, just a simple POST.

j / k navigate · click thread line to collapse