KrakenKey is live with free and paid plans. Issue your first TLS certificate in minutes.

Pricing

Free tier includes full ACME automation. Paid plans add higher limits, auto-renewal, and team access.

Free

Full ACME automation, no credit card

$0
  • 3 domains, 10 active certificates
  • ACME automation via Let's Encrypt
  • In-browser CSR generator
  • DNS-01 challenge via Cloudflare
  • REST API & web dashboard
  • 3 monitored endpoints (connected probes)

No credit card required

Get Started Free
Popular

Starter

More domains, auto-renewal, alerts

$29/mo
  • 10 domains, 75 active certificates
  • 30-day auto-renewal window
  • Certificate expiry notifications
  • Double API rate limits
  • 10 endpoints, 2 hosted probe regions
  • Everything in Free
Upgrade to Starter

Team

Multi-user access with role-based control

$79/mo
  • 25 domains, 375 active certificates
  • Organizations with RBAC
  • Invite team members (owner, admin, member, viewer)
  • Higher rate limits (300 reads/min)
  • 50 endpoints, 5 hosted regions, 5-min scans
  • Everything in Starter
Upgrade to Team

Frequently asked questions

What does KrakenKey do?

KrakenKey automates TLS certificate lifecycle management — issuance, renewal, monitoring, and revocation. Issue certificates via Let's Encrypt in ~4 minutes through the dashboard, REST API, or CLI. Monitor your TLS endpoints from distributed probes to catch expiring certs, broken chains, and misconfigurations before they cause outages.

Why are certificate lifetimes getting shorter?

The CA/Browser Forum approved Ballot SC-081v3, which phases TLS certificate maximum lifetimes from 398 days down to 47 days by March 2029. Shorter lifetimes reduce the window of exposure if a key is compromised. This makes automation essential.

How does endpoint monitoring work?

Register any TLS endpoint (host:port) and KrakenKey scans it on a schedule using distributed probes. Each scan performs a real TLS handshake and reports connection health, certificate details, chain validation, and latency. Use our hosted probes for zero-ops monitoring from multiple regions, or run the open-source probe on your own infrastructure for internal services.

How does client-side CSR generation work?

KrakenKey uses the WebCrypto API built into modern browsers to generate your Certificate Signing Request entirely client-side. Your private key is generated in your browser and never leaves your device. Only the CSR (which contains your public key) is sent to our servers.

Is there a REST API and CLI?

Yes. Every action available in the dashboard is also available via REST API and the krakenkey CLI. Issue certificates, manage domains, configure endpoint monitoring, and export scan results — all programmatically. AI agent tool definitions are included for automated workflows.

Do I need a paid plan?

No. The free tier includes ACME automation, certificate issuance, and 3 monitored endpoints with connected probes. Starter ($29/mo) adds 10 endpoints, 2 hosted probe regions, auto-renewal, and expiry alerts. Team ($79/mo) adds 50 endpoints, 5 hosted regions, organizations with RBAC, and 5-minute scan intervals.

Ready to automate your certificates?

KrakenKey automates certificate management so you don't have to.

Get Started Free

Free to use. No credit card required.