Commonly asked questions about our enterprise certificate monitoring and discovery tool
CertAlert is our enterprise-grade certificate management solution that offers a comprehensive set of features, including:
CertAlert is compatible with all versions of Windows, starting from Windows 10 and Windows Server 2016 onwards. We are currently developing a Linux version of CertAlert. If you're interested in testing this version, please contact our team.
Yes, CertAlert is a comprehensive Certificate Expiry Monitor. It continuously tracks SSL certificates deployed across your networks and sends timely expiration notifications to designated recipients, ensuring certificates can be renewed before they impact your services.
Absolutely. CertAlert functions as a powerful Certificate Discovery Tool. It systematically scans your networks based on specified IP ranges (or a hosts file) and port ranges to locate all deployed SSL certificates. The scan results are compiled into detailed reports that help identify potential issues such as weak algorithms, inadequate key lengths, or unknown certificate authorities.
Indeed, CertAlert serves as a comprehensive Certificate Audit Tool. It thoroughly scans your networks for SSL certificates and generates detailed reports that help identify potential compliance issues within your certificate inventory, ensuring your digital infrastructure meets security best practices and industry standards.
CertAlert is designed for easy deployment and use. Visit our Getting Started page for a step-by-step guide on downloading and running CertAlert for the first time.
Absolutely! We value customer input in our product development. If you have suggestions that would enhance CertAlert for your organization, please share them with us at [email protected].
Yes, you can optimize scan performance by adjusting the number of concurrent outgoing connection attempts.
This is controlled by the Connections
configuration value, which defaults to 256 as shown below:
<add key="Connections" value="256"/>
Yes, CertAlert will attempt to connect to all endpoints you specify, regardless of the underlying platform. This includes Windows, macOS, Linux, Unix, and various network devices. CertAlert's platform-agnostic scanning ensures complete certificate discovery across heterogeneous enterprise environments.
Yes, you can customize the advance notification period for certificate expiration by setting the
WarningInterval
configuration value. By default, it is set to 90 days as shown below:
<add key="WarningInterval" value="90" />
Yes, CertAlert supports checking SSL certificates used with STARTTLS SMTP.
The default STARTTLS ports checked are 25 and 587. You can customize this via the SmtpStartTlsPorts
configuration option:
<add key="SmtpStartTlsPorts" value="25,587"/>
CertAlert allows you to customize which events trigger alerts. The available options are:
To specify which events should trigger alerts, adjust the EmailAlerts
configuration setting:
<add key="EmailAlerts" value="EXPIRED,EXPIRING" />
CertAlert lets you customize which certificate conditions appear in your reports:
Configure this by setting the ReportConditions
value. The example below will only include
expiring and expired certificates in reports:
<add key="ReportConditions" value="EXPIRED,EXPIRING" />
CertAlert supports both nmap-style (e.g., 178.125.139.1-162) and CIDR notation (e.g., 192.168.0.0/24) for IP ranges.
To use IP ranges, set UseIPRanges
to true and specify the ranges with the IPRanges
setting:
<add key="UseIPRanges" value="true" />
<add key="IPRanges" value="192.168.1.1-2,192.168.2.1-2,192.168.0.0/24" />
CertAlert allows you to specify which TCP ports to check during scans. You can list individual ports and port ranges
using the Ports
configuration setting. For reference on common SSL ports, see our
Common SSL ports article.
<add key="Ports" value="443,444,1-65,44000,45000-45500" />
To disable the license acceptance prompt, especially useful for automated deployments, use the command line argument
i_accept_the_licence
:
CertAlert i_accept_the_licence
CertAlert can be easily scheduled using Windows Task Scheduler. Here's how to set it up:
To test the task, select it, right-click and choose "Run".
To include PEM-formatted certificates in your reports, enable the PemCertCol
setting in the configuration file:
<add key="PemCertCol" value="true"/>
CertAlert allows you to customize which fields appear in your CSV reports. Set any field to "true" to include it or "false" to exclude it. Here are the default settings:
<add key="HostCol" value="true"/> <add key="IpAddressCol" value="true"/> <add key="PortCol" value="true"/> <add key="CommonNameCol" value="true"/> <add key="IssuerOrgCol" value="true"/> <add key="IssuerCol" value="false"/> <add key="SubjectCol" value="false"/> <add key="SigAlgCol" value="true"/> <add key="KeySizeCol" value="true"/> <add key="SerialNumberCol" value="true"/> <add key="SelfSignedCol" value="true"/> <add key="VerifiedCol" value="true"/> <add key="SubAltNamesCol" value="true"/> <add key="Sha1FingerprintCol" value="true"/> <add key="NotBeforeCol" value="true"/> <add key="NotAfterCol" value="true"/> <add key="DaysTillExpiryCol" value="true"/> <add key="ExpiryStatusCol" value="true"/> <add key="PemCertCol" value="false"/> <add key="ErrorInfoCol" value="true"/>
Yes, CertAlert fully supports Server Name Indication (SNI), allowing it to correctly identify certificates on servers that host multiple websites with different SSL certificates. You can verify this by scanning an SNI-enabled site such as https://bob.sni.velox.ch.
When an SNI-supporting client connects to this site, it returns a certificate with the common name bob.sni.velox.ch. Clients without SNI support receive a certificate for alice.sni.velox.ch instead.
We recommend NotePad++ for editing the CertAlert.dll.config file. It offers user-friendly interface and XML syntax highlighting. To enable syntax highlighting, select 'Language' from the menu and choose 'XML'.
Several options are available for viewing CertAlert's CSV reports:
For Linux/Cygwin users, the column -t
command in a terminal window is also an effective option.
We are ready to help with any additional questions.