🏛
Multi-domain CA inventory
Configure each issuing CA you care about. Per-CA: hostname, NTLM domain, default template. Topology-aware (offline-root vs issuing). Validation status surfaces per row.
Discover, monitor, enroll, troubleshoot every cert in a Windows AD CS environment — across multiple domains under one offline root — from a single 19 MB binary that ships zero installer, zero service, zero telemetry. Built because certsrv in a modern browser stopped working and openssl alone doesn't know how to talk to AD CS.
C:\certs\axis-fleet\CertGuard ships alongside NetGuard. Same brand spine, same install pattern (single binary), same trust model (air-gap, no telemetry). Run both at once on different ports.
DISA Cisco STIG audit · live SSH pull · MANUAL triage · CKL outputs.
Live · v0.1 🔐Discover · monitor · enroll · bulk CSR · troubleshoot · 11 recipes.
"Can host X reach host Y on tcp/2000?" L2/L3/ACL/routing path-walk.
Continuous config-drift detection · offline alerts on baseline divergence.
PAN-OS / JunOS STIG audit modules · same intelligence layer.
Live discovery · CMDB-grade artifacts · zero connected services.
Built to replace certsrv-in-a-browser, openssl-one-liners, and CyberArk's $50K floor — all from one binary.
Drives /certfnsh.asp directly with NTLM + CBT. Fixes the modern-browser empty template dropdown. Bulk submit from CSV, poll pending, download in PEM / PEM+Key / PKCS#7 / PFX.
No installer. No service. No .NET runtime. No Python. UAC manifest auto-elevates on double-click. Self-contained. The .exe's SHA-256 is your SWAB artifact.
CAPF · WebServer · DC · CodeSigning · IPsec · User · EFS · OCSP · Smartcard · IoT TLS Client · Apache/nginx. One click to build a CSR with the right EKU / KU bits / name flags.
"401 from /certfnsh.asp on an existing template"? CertGuard queries pKIEnrollmentService objects and tells you exactly which CA publishes which template — with a runbook to fix it.
No more openssl one-liners + IIS GUI + browser-into-certsrv round-trips. CertGuard handles the whole CSR-to-PFX-on-target lifecycle.
Configure each issuing CA you care about. Per-CA: hostname, NTLM domain, default template. Topology-aware (offline-root vs issuing). Validation status surfaces per row.
POST CSR + template to /certsrv/certfnsh.asp with NTLM + CBT. Poll certnew.cer. Handle pending-approval. Bundle chain. PEM / PEM+Key / PKCS#7 / PFX outputs.
Upload a 35-row CSV (hostname + IP + extra SANs). CertGuard kicks off a background job, submits each, saves <cn>.pem + <cn>.key per row to your chosen folder. Live progress page.
Background scanner polls every endpoint every 6h. Buckets by days-to-expire. Notifications: SMTP, Slack, generic webhook. Per-cert throttling so you don't get spammed.
Interactive vis-network graph of your entire PKI. Color-coded by expiration urgency. Click to drill in. Shape inference (DC / ICA / phone / appliance) from hostname pattern.
Classifies every discovered AD cert (KEEP / EXPIRED / SUPERSEDED / RETIRED-ISSUER). Generates PowerShell or LDIF runbook with auto-snapshot. Fully reversible from /rollback.
Add each issuing CA with hostname, NTLM domain, default template. Test Connection validates LDAPS + HTTPS + NTLM+CBT in one click.
LDAPS-mirror every pKICertificateTemplate. See provenance (whenCreated / whenChanged) so retired-CA stragglers are obvious.
Pick CA + template. Generate keypair + CSR in-flight or paste your own. NTLM + CBT auth. Track in Pending Requests.
Download PEM / PEM+Key (separate files for Axis cams / F5 / NetApp) / PKCS#7 / PFX. Filenames pre-set to the host's CN.
Three operator realities for Windows-CA shops.
Microsoft killed ActiveX. The page that powered IT for 15 years now shows an empty dropdown. You're forced to hand-craft CertAttrib strings on the "Submit a saved request" path — losing template-driven automation entirely.
Generating 35 keypairs, building 35 CSRs, clicking through /certsrv 35 times, organizing 70 files. Five hours of click-work that has to happen every two years.
You migrated CAs last quarter. The old pKIEnrollmentService object never got cleaned up. AD still lists templates the new CA doesn't publish. Every submission returns "401 - invalid credentials" — even for Domain Admins.
certutil -SetCATemplates +X runbook to fix it.Drop the binary on disk. UAC self-elevates. Add a CA, discover templates, submit a CSR. First issued cert in five minutes flat.
Self-contained ~19 MB. UAC manifest embedded so double-click auto-elevates on STIG'd boxes.
certguard-0.1-windows-x64.zip.certguard-0.1-windows-x64.exe → Properties → tick Unblock → OK.127.0.0.1:9988.Honest feature-by-feature: where CertGuard wins (air-gap, single binary, 10% of TCO) and where CyberArk is still the right tool (HSM, K8s, MSP).
One-pagerPrint-ready single page for SWAB submission and budget-approval conversations. Pricing tiers, security posture, deployment footprint.
GuideEnd-to-end walkthrough including AppLocker / SmartScreen notes for STIG'd boxes and the bulk CSV workflow for fleet enrollment.
ICA-NMC on NMC\admin and ICA-IESS on IESS\admin side by side in the same CertGuard install.cert.pem + cert.key separately.Server.info (works on most), raw RootDSE search with check_names=False (handles ldap3 schema-validation rejection), and last-ditch derivation from the NTLM domain (NMC → DC=nmc,DC=local). If all three fail, type the Base DN explicitly in the form.