CertAlert FAQ

Frequently Asked Questions

What Is CertAlert?
System Requirements
Quick Start
Configuration
Server List Format
IP Range Scanning
IPv6 Support
Certificate Statuses
Email Alerts & Reports
SMTP Password
Scheduling
Reports
STARTTLS Support
Private CA Certificates
Performance Tuning
Exit Codes
Feature Requests

What Is CertAlert?

CertAlert discovers, validates, and monitors TLS/SSL certificates across servers, services, and networks. It helps teams detect expiry, misconfiguration, validation failures, security weaknesses, and connectivity problems before they cause outages.

Key features:

Cross-platform — runs on Windows, Linux, and macOS
IPv4 and IPv6 scanning support
HTML, PDF, and CSV reports
JSON configuration — modern, easy-to-edit config format
Ad-hoc CLI scans — quick checks without configuration
Email alerts with configurable cooldowns
Self-contained with no external dependencies

System Requirements

Windows: Windows 10/11, Windows Server 2016 or later
Linux: 64-bit, glibc 2.17+
macOS: macOS 11 (Big Sur) or later

CertAlert is self-contained — no runtime dependencies required.

Quick Start

Ad-hoc scan (quickest for one-off checks):

CertAlert scan example.com
CertAlert scan example.com mail.example.com:587 10.0.0.1-5

Using a server list file:

Create servers.txt with your hosts, then run:

CertAlert scan

See the Getting Started Guide for detailed instructions.

Configuration

CertAlert uses a JSON configuration file (config.json). Example:

{
  "servers_file_path": "servers.txt",
  "expiring_threshold_days": 30,
  "console_report": { "enabled": true },
  "csv_report": { "enabled": true, "file_path": "Reports/CertAlertReport.csv" },
  "pdf_report": { "enabled": true, "file_path": "Reports/CertAlertReport.pdf" },
  "html_report": { "enabled": true, "file_path": "Reports/CertAlertReport.html" }
}

See config.example.json in the distribution for all available options.

Common Options

Option	Description	Default
`servers_file_path`	Server list file	servers.txt
`ip_ranges_file_path`	IP ranges file for discovery	ip_ranges.txt
`default_ports`	Ports to check when none specified	[443]
`expiring_threshold_days`	Days before expiry to mark as EXPIRING	30
`timeout_seconds`	Connection timeout	10
`max_parallel_fetches`	Max concurrent checks	128
`ip_mode`	IP version: any, ipv4, ipv6	any

Server List Format

Create servers.txt with one entry per line:

# Comments start with #
example.com              # Uses default_ports (443)
example.com:8443         # Explicit port
192.168.1.1:443          # IPv4 with port
smtp.example.com:587     # SMTP STARTTLS (auto-detected)
[2001:db8::1]:443        # IPv6 address with brackets

IP Range Scanning

Create ip_ranges.txt for network discovery:

# IP ranges for discovery
192.168.1.1-192.168.1.254
10.0.0.0/24
172.16.0.1-172.16.0.50

Both nmap-style ranges and CIDR notation are supported.

Tip: For large scans, tune timeout_seconds (lower for LANs) and max_parallel_fetches (higher for fast networks).

IPv6 Support

CertAlert fully supports IPv6 addresses. Use brackets for IPv6 with ports:

[2001:db8::1]:443
[::1]:8443

Control IP version scanning with the ip_mode setting:

any — Scan both IPv4 and IPv6 (default)
ipv4 — IPv4 only
ipv6 — IPv6 only

Certificate Statuses

CertAlert assigns statuses based on certificate validity, trust, and security:

Status	Meaning
`REVOKED`	Certificate revoked by CA
`EXPIRED`	Certificate has expired
`NAME_MISMATCH`	Hostname doesn't match CN/SAN
`NOT_YET_VALID`	Certificate validity period hasn't started
`SELF_SIGNED`	Certificate is self-signed
`UNTRUSTED_ROOT`	Root CA not trusted
`CHAIN_BUILD_FAILED`	Certificate chain incomplete
`INSECURE_PROTOCOL`	TLS version below 1.2
`WEAK_KEY`	Insufficient key strength (RSA <2048)
`WEAK_SIG`	Deprecated signature algorithm (SHA-1, MD5)
`EXPIRING`	Certificate expiring within threshold
`OK`	No issues found

Connection Statuses

Status	Meaning
`DNS_FAIL`	DNS resolution failed
`UNREACHABLE`	No response from IP
`CLOSED`	TCP connection refused
`NO_CERT`	TCP connected but TLS failed

Email Alerts & Reports

Configure SMTP and enable alerts in config.json:

{
  "smtp": {
    "host": "smtp.example.com",
    "port": 587,
    "username": "[email protected]",
    "from": "CertAlert <[email protected]>",
    "enable_starttls": true
  },
  "alerts": {
    "enabled": true,
    "recipients": ["[email protected]"],
    "statuses": ["EXPIRED", "EXPIRING", "REVOKED"],
    "cooldown_hours": 6
  },
  "reports": {
    "enabled": true,
    "recipients": ["[email protected]"],
    "frequency_hours": 24,
    "include_csv": true
  }
}

Alerts are event-driven — sent when issues are detected. Reports are time-driven — sent on schedule.

SMTP Password

Windows (recommended): Use DPAPI encryption:

CertAlert configure smtp-password

This securely stores the encrypted password in config.json.

All platforms: Use an environment variable:

export CERTALERT_SMTP_PASSWORD="your-password"
./CertAlert scan

Scheduling

Windows Task Scheduler:

Set Program/script to the full path of CertAlert.exe
Set Add arguments to: scan --accept-eula
Set Start in to the CertAlert folder (required)

Linux/macOS cron:

0 6 * * * cd /opt/certalert && ./CertAlert scan --accept-eula

Note: Configure the SMTP password before scheduling if email is enabled.

Reports

CertAlert generates three report formats:

HTML — Dashboard with summary and details
PDF — Printable summary report
CSV — Full data export for analysis or integration

Enable/disable each in config.json:

"csv_report": { "enabled": true, "file_path": "Reports/CertAlertReport.csv" },
"pdf_report": { "enabled": true, "file_path": "Reports/CertAlertReport.pdf" },
"html_report": { "enabled": true, "file_path": "Reports/CertAlertReport.html" }

STARTTLS Support

CertAlert automatically detects STARTTLS based on port number:

Ports 25, 587 — SMTP STARTTLS
Port 143 — IMAP STARTTLS
Port 110 — POP3 STARTTLS

No protocol prefix required — just specify the port:

smtp.example.com:587
imap.example.com:143

Private CA Certificates

If certificates from your private CA show UNTRUSTED_ROOT:

Option 1: Add your CA to the system trust store (recommended)

Option 2: Skip chain validation for specific issuers:

{
  "skip_chain_validation_issuers": ["Acme Corp Internal CA", "My Company Root CA"]
}

Values are matched case-insensitively against the certificate issuer's CN or O fields.

Performance Tuning

For LAN scans: Decrease timeout, increase parallelism:

CertAlert scan -t 2 -j 512

For WAN/slow networks: Increase timeout, use --retry-slow:

CertAlert scan -t 15 --retry-slow

The --retry-slow flag re-scans endpoints that connected but failed TLS negotiation.

Exit Codes

Code	Meaning
0	Scan completed successfully
1	General error (invalid config, I/O error, SMTP failure)
2	Licence error (missing, expired, invalid)

Feature Requests

We value customer input in product development. If you have suggestions that would enhance CertAlert, please share them at [email protected].

Still have questions?

We're ready to help. Email us at [email protected]

Self-contained, cross-platform certificate monitoring with HTML reports and IPv6 support.

Get CertAlert Now