KORTHEXkorthex.flowence.cc

Crypto Vulnerability Scanner / TLS + PKI

TLS Certificate Audit Tool, On-Premise

Korthex audits TLS and PKI material where cloud scanners cannot reach: certificates, keys and TLS configurations inside repositories, containers and internal infrastructure. It flags weak signature algorithms (SHA-1, MD5), legacy key sizes (RSA below 2048, ECC below 256), expired and near-expiry certificates, and insecure protocol and cipher-suite configuration. 100% on-premise.

Why TLS auditing has to run on-premise

Public endpoint scanners only see what is exposed to the internet. Internal PKI, mTLS between services, admin planes and air-gapped estates stay dark, and that is where legacy certificates accumulate. The certificates and TLS configuration inside your repositories and containers are the source of truth before anything is deployed; auditing them means auditing the future state, not yesterday's snapshot.

What the audit covers

  • Signature algorithms: certificates signed with SHA-1 or MD5
  • Key sizes: RSA below 2048 bit, elliptic curves below 256 bit
  • Validity: expired and near-expiry certificates, before they page you
  • TLS configuration in code and infrastructure files: weak protocol versions, weak cipher suites, disabled verification
  • Cipher-suite analysis mapped to BSI TR-02102-2 and PCI-DSS requirement 4.2.1
  • Quantum exposure: key exchange and signatures bucketed against FIPS 203 / 204, because certificates are on every PQC migration path

Cross-engine context instead of a flat list

A weak certificate is worse when reachable code actually uses it. Korthex correlates TLS findings with the code, configuration, database and git-history engines into one reachability-scored chain, and git history surfaces keys and certificates that were committed once and later removed, which still means they leaked.

Frequently asked questions

Does Korthex probe live endpoints?

Korthex audits certificates, keys and TLS configuration in repositories, containers and infrastructure files, fully on-premise. For public internet-facing endpoint checks, pair it with an endpoint scanner; for everything internal or pre-deployment, Korthex is the audit.

Can it catch certificates before they expire?

Yes. Expired and near-expiry certificates are findings, and because the scan runs in CI, expiry shows up in a pull request or scheduled run instead of an outage.

What about post-quantum TLS?

Quantum-vulnerable key exchange and signatures are bucketed per finding against ML-KEM (FIPS 203) and ML-DSA (FIPS 204), with the migration plan ordering certificate and configuration changes.

Does it work air-gapped?

Yes. 100% on-premise including air-gapped operation; nothing about your PKI leaves your infrastructure.

Which compliance mappings apply?

BSI TR-02102-2 for TLS configuration, PCI-DSS 4.2.1 for data in transit, NIST FIPS 140-3 approved-algorithm lists, and ISO 27001 A.8.24, attached per finding in the CBOM.