DEV Community

Cover image for Managing TLS certificates and JWT keys is still a mess in 2026 — so I built a tool
WRVault
WRVault

Posted on

Managing TLS certificates and JWT keys is still a mess in 2026 — so I built a tool

#security #webdev #javascript #devops

Not my finest moment, but I was the person who let a prod cert expire because the renewal reminder was buried in an email thread from six months ago. One nginx 502, one very unhappy on-call rotation, and a genuinely embarrassing post-mortem.

The fix took about 20 minutes. The conversation about "why don't we have a proper process for this" took two hours and went nowhere. The answer was always some variation of "we'll automate it eventually" or "just use Vault" — as if standing up HashiCorp Vault is something you do on a Tuesday afternoon.

That stuck with me. Not because certificate management is particularly hard, but because the gap between "I have a cron job and a wiki page" and "I have actual infrastructure" is enormous, and nobody's really filled it for smaller teams.

So I built WRVault. Took about two months working evenings and weekends.

What it actually does

The core of it is managing two things that are more related than people treat them: mTLS certificates and JWT signing keys. Both expire. Both need to be distributed somewhere. Both break things silently when you forget about them.

For certs you get generation (PEM, DER, PKCS#12), configurable expiry alerts over Slack or Discord or email, and auto-rotation. For JWT keys you get RSA/ECDSA key pairs with a live JWKS endpoint — so your consumers hit a URL instead of you manually pushing a new public key every time you rotate.

There's a REST API and a GitHub Actions step (wrvault-action@v1) if you want to pull certs or keys in CI without thinking about it.

That's mostly it. I deliberately didn't try to build the next Vault. The scope is narrow on purpose.

The free tools

While I was building, I kept hitting the same annoyance: needing to quickly inspect a JWT or decode a CSR, opening some sketchy website, and pasting in something I probably shouldn't be pasting into a random server.

I ended up adding a set of tools that run entirely client-side — Web Crypto API, no backend calls, nothing leaves the browser. Partly because they're useful, partly because I wanted SEO surface area, I'll be honest about that.

The ones I actually use day to day:

  • JWT Decoder — paste a token, see the header and payload. I know you can do this with atob in the console but this is faster.
  • CSR Decoder — shows subject, key type, SANs. Useful when you're handed a CSR and need to verify it before signing.
  • Cert Chain Validator — paste your leaf + intermediates + root, tells you if the ordering is wrong. This one's saved me twice already.
  • PEM ↔ JWK converter — does what it says, handles RSA and EC, also extracts the public key from an X.509 cert if you need the JWK for a JWKS endpoint.

Full list is here if you want the rest (UUID generator, AES encrypt/decrypt, hash generator, JWE, Base64).

Where it's at

It's live, it's in production, I'm using it myself. Free tier exists. Pro is $3.99/month if you want more than the basics.

I'm not going to pretend it's for everyone — if you're already running Vault or your cloud provider handles all of this, you probably don't need it. But if you're a small team and your current cert management is "one person who knows where the files are," it might be worth a look.

Curious if anyone else has a setup they're happy with for this, or if the 3am cert expiry story is as universal as I suspect it is.

Top comments (0)