X509 Anywhere From Your Pocket.

No more installing certificates on every machine. Your x509 cert stays safely on your phone while you authenticate to any server, service, or device with just a tap.

The Future of Certificate Management

All the power of mTLS, none of the hassle. Secure, simple, and built for modern teams.

Phishing-Resistant by Design

Private keys never leave your phone's Secure Enclave, protected by biometrics. This fundamentally breaks common attack vectors for credential theft.

How it Works

1Install proxy & get cert on phone.

2Run command (e.g., `ssh server`).

3Tap 'Approve' on your phone.

Zero-Hassle

Stop copying certificates to every laptop, server, or container. Authenticate from anywhere.

Universal Compatibility

Our lightweight proxy integrates seamlessly with your existing tools: SSH, `kubectl`, `curl`, web browsers, and anything that supports mTLS.

Integrates With Your Workflow

Replace cumbersome secret management and password prompts with a single, secure tap.

Passwordless SSH

Configure your SSH client to use the 1cert proxy. Now, `ssh` commands trigger a prompt on your phone instead of asking for a key password.

# ~/.ssh/config
Host *.prod.mycorp.com
  ProxyCommand 1cert-proxy ssh --host %h %p
  IdentityAgent none

Secure `kubectl`

Point your kubeconfig to 1cert to authenticate your `kubectl` commands. Great for managing short-lived certificates for cluster access.

# ~/.kube/config
users:
- name: developer
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: 1cert-proxy
      args:
      - kube

Internal Web Apps & VPNs

Set up the 1cert proxy for your browser. Access internal tools protected by mTLS without installing certificates in your system keychain.

# No code, just seamless browser-based authentication.
# Access Grafana, Jenkins, internal portals, and more.

Frequently Asked Questions

Your certificates can be easily revoked from your 1cert dashboard. Since the private keys never leave your phone, a lost device does not mean a compromised key. You can then provision a new certificate on your new device.

No. Unlinke current solutions that use short lived certs that require the server to accept a signature by a 3rd party CA, only the client (the user who need to authenticate) needs to have 1cert's lightweight daemon installed.

Yes. This is directly related to the previous question. 1cert works with any existing X.509 client certificate (.p12, .pfx files). Whether it's your government-issued certificate for tax portals, corporate certificates for internal systems, or banking certificates—just import them into the 1cert app and start using them securely.

Traditional certificate files stored on a developer's laptop can be stolen by malware. With 1cert, the private key is stored inside your phone's Secure Enclave or hardware-backed keystore. It can't be exported or accessed by the OS, making it dramatically more secure and phishing-resistant.

The 1cert mobile app will be available for both iOS and Android. The client-side proxy tool is a cross-platform binary that runs on macOS, Windows, and Linux.