Certificate & TLS Hygiene Service

Avoid the quiet panic of an expired certificate.
We review, renew, and validate every live certificate across your platforms — safely, consistently, and out of hours.

Why teams use this

Certificates tend to renew in the background until one slips through the cracks.
Typical causes include:

• Renewals spread across several systems (F5, IIS, ALB, App Gateway, NGINX)
• Health monitors that never quite match the application they serve
• Forgotten device or intermediate certificates
• A lack of clear reporting on what expires when

Our evening and early-morning windows bring calm order to this, ensuring that every endpoint is healthy and every certificate current — with evidence to show it.

What you can expect

• No unexpected expiries — every active certificate checked and renewed where required
• Standardised health checks — consistent paths, intervals, and thresholds
• Evidence as standard — expiry reports, command output, and screenshots
• Rollback prepared — previous certificates kept ready for safety
• Discreet delivery — 07:00–09:00 or 18:00–21:00, Tuesday to Friday
• Partner-friendly — documentation and ledgers suitable for MSP re-use

Typical work we handle

Discovery & Audit
A full review of active certificates, issuers, and expiry dates across load balancers, web servers, and cloud gateways.

Renewal & Import
Request or retrieve updated certificates from your CA or Key Vault and confirm validity before use.

Binding Updates
Apply renewed certificates to endpoints with zero downtime and clear rollback notes.

Monitor Alignment
Bring health monitors back to a common, predictable standard.

Evidence & Reporting
Attach proof for every change — thumbprints, chain checks, screenshots, and test results.

Each task follows a short, version-controlled runbook.

Governance

• Pre-agreed safe-change catalogue and work-unit sizing
• Each change includes what / where / proof / rollback / owner sign-off
• Evidence stored in your own systems — CygnusTech keeps no client data
• Simple client-owned evidence ledger maintained during the engagement
• CAB-ready runbooks and short change summaries provided for governance submission
• Delivered as a defined service with clear, auditable proof

Results that matter

• No certificates nearing expiry
• Consistent green health checks across services
• Clear, dated evidence for audit or compliance
• Fewer last-minute renewals and fewer avoidable outages

How it works

1. Agree scope and access. One named contact on your side.
2. Prepare the board. We highlight expiring or non-standard items ready for action.
3. Deliver in window. Renewal and validation during agreed out-of-hours sessions.
4. Close cleanly. Evidence stored in your systems; a brief summary issued.

This is planned, low-stress maintenance — not an emergency service.

Systems and environments we support

We work comfortably across enterprise and cloud platforms, including:

F5 BIG-IP (LTM/GTM) · FortiADC · Kemp LoadMaster · HAProxy · Azure Application Gateway · AWS ALB/NLB
IIS (Windows Server 2016–2025) · NGINX · Apache
Azure Key Vault · AWS Certificate Manager · Sectigo · DigiCert · Let’s Encrypt
Windows Server · RHEL 8–9

…and other current certificate and load-balancing stacks.

Pricing (guide)

We price by outcome, not by hours. A straightforward structure keeps everything predictable:

• Pilot engagement — a short, clearly-defined batch to demonstrate the approach
• Standard engagement — a small series of evening or morning windows to cover a defined list
• Partner retainer — a regular allowance for MSPs to maintain certificate hygiene across clients

Pricing typically begins at £1,250 for a pilot and £3,000 for a standard tranche - clear, fixed, and scoped to outcomes.

At a glance

Next step

Share a small set of endpoints or a recent renewal challenge,
and we’ll suggest a short, low-risk window to bring them back under control —
with clear proof, tidy rollback, and smoother renewals next time.