SSLBoard as a KeyChest alternative
KeyChest spent years doing certificate expiry management the sensible way: you typed in a domain, it found the subdomains, and from then on it sent you weekly email reports and a twelve-month expiry planner. For a lot of teams, that weekly digest was the whole workflow. Set it up once, skim the report on Monday, renew whatever was coming up.
That workflow ended in February 2026, when KeyChest ceased operations. If you relied on it, you now need a replacement. And since you’re switching anyway, it’s worth asking whether expiry dates were ever the whole picture. SSLBoard covers the expiry side and audits the TLS configuration behind it.
What is KeyChest?
KeyChest was a certificate expiry monitoring service at keychest.net, started as a side project in 2017 and built up over the following years. Its pitch was “all expiry information in one place”: you enrolled a domain, KeyChest discovered subdomains and audited any servers named in your certificates, and the results landed in a dashboard with incident reports, expiry dates, and a 12-month renewal planner. Weekly email reports were the main interface. KeyChest’s own user survey found that 7 out of 10 users just set it up and read the weekly emails.
It also offered spot checks for quick HTTPS validation and an API. Personal use was free for up to 100 endpoints, which made it popular with homelab users and small teams running Let’s Encrypt.
None of that is available anymore. The keychest.net homepage now carries a shutdown notice: “KeyChest has officially ceased its operations as of 14 Feb, 2026.” An open source version of the scanner still exists on GitHub, but the hosted service is gone.
Where KeyChest falls short
The obvious problem is that it no longer exists. You can’t sign up, and existing dashboards and weekly reports have stopped. Anyone still pointing runbooks or bookmarks at KeyChest has a monitoring gap right now.
But even when it was running, KeyChest had the same blind spots as most expiry-focused tools.
Expiration was the whole product. KeyChest tracked when certificates would expire and whether renewals landed. It didn’t audit TLS configuration. A server could sit green in the KeyChest planner while still accepting TLS 1.0, negotiating RC4 or 3DES, or running without forward secrecy.
No DNSSEC or CAA checks. KeyChest didn’t look at your DNS security. Whether DNSSEC was configured, or whether CAA records restricted which CAs could issue for your domain, was outside its scope.
No posture scoring. You got a list of endpoints and their expiry dates. There was no aggregate assessment of TLS health, nothing you could point to when someone asked how your TLS actually looked.
Account required. Like most monitoring services, KeyChest needed a signup and a managed list of domains. There was no quick one-off scan for a domain you don’t control.
Your data lived in their dashboard. When the service wound down, so did access to its reports. If the shutdown burned you, that’s a fair reason to prefer a tool where a single scan produces a complete, exportable report you keep.
How SSLBoard is different
SSLBoard audits your entire public TLS surface, not just certificate expiration.
You type a domain and we discover hostnames via Certificate Transparency logs and DNS enumeration, then perform active TLS handshakes against every resolved IP. The report covers certificates (expiration timelines, issuer distribution, key types and sizes), so the expiry visibility KeyChest gave you is still there. On top of that, it covers TLS protocol versions and flags any endpoint still accepting 1.0 or 1.1, with associated CVEs. It maps cipher suites to the hosts that accept them: 3DES, RC4, EXPORT, NULL, and CBC-mode weaknesses. It checks forward secrecy, analyzes RSA vs. ECC key distribution, evaluates HTTP security headers like HSTS, verifies DNSSEC and CAA records, and detects post-quantum key exchange support.
The findings produce a weighted posture score broken down by category. You can track improvement over time or compare across domains. Every report is shareable via a link, with CSV, Markdown, and JSON exports.
You don’t need an account, and you don’t need to manage a list of domains in a dashboard. Type a domain, wait a few minutes, and you have a full TLS posture report.
When to use KeyChest vs. SSLBoard
There’s no fair fight here anymore: KeyChest shut down, so it isn’t an option. If what you miss is the recurring renewal reminder, SSLCalendar is the closest replacement for that specific habit. Enter a domain and email address, subscribe to an ICS feed in Google Calendar, Outlook, or Apple Calendar, and expiry dates show up where you already look.
SSLBoard is the better fit when you want more than the weekly expiry digest ever gave you. Before a compliance review, after a certificate rotation, when evaluating a vendor, or any time someone asks “how does our TLS look?” and you need specifics on protocols, ciphers, key strength, and DNS security.
Getting started
Go to sslboard.com, type your domain, and wait a few minutes. Your first scan is always free, with the full report including score, findings, and per-host breakdowns. No account required.