What Is CertAlert?

CertAlert offers a wide range of features, including:

  • Scanning your networks to discover deployed certificates.
  • Sending email alerts when a certificate is nearing its expiration date.
  • Analyzing certificates to identify potential vulnerabilities.
  • Generating and emailing detailed reports in both PDF and CSV formats.

CertAlert System Requirements

CertAlert is compatible with all versions of Windows, starting from Windows 10 and Windows Server 2016 onwards. We are working on a Linux version of CertAlert, so please contact us if you are interested in trying this.


Is CertAlert A Certificate Expiry Monitor?

Yes, CertAlert is a Certificate Expiry Monitor. It will monitor SSL certificates deployed on your networks and email expiry notifications to the appropriate parties; thus allowing certificates to be renewed in a timely manner.


Does CertAlert Discover Certificates?

Absolutely, CertAlert functions as a Certificate Discovery Tool. It scans your networks based on IP ranges (or a hosts file) and port ranges to locate deployed SSL certificates. The scan results are compiled into a detailed report, which can be used to identify potential issues with the discovered certificates, such as weak algorithms, short keys, or unknown issuers.


Does CertAlert Audit Certificates?

Indeed, CertAlert serves as a Certificate Audit Tool. It scans your networks for SSL certificates and generates a comprehensive report. This report can be used to identify potential non-compliance issues within your certificate population.


How Do I Download And Run CertAlert?

CertAlert is very easy to use. See our Getting Started page for step by step guide on downloading and running for the first time.


Can I Request New Features?

Absolutely! Your feedback is valuable to us. If there are features you think would make CertAlert even better, we'd love to hear about them. Please reach out to us at [email protected].


Is The Scan Speed Configurable?

Yes, you can specify the number of concurrent outgoing connection attempts by setting the Connections configuration value. By default, it is set to 256 as shown below.

<add key="Connections" value="256"/>

Does CertAlert Try to Discover Certificates On Any Operating System?

Yes, CertAlert will attempt to connect to all end points you tell it to on any platform including Windows, Mac OS, Linux, Unix, and Devices.


Is The Certificate Expiry Warning Period Configurable?

Yes, you can specify the number of days before certificate expiry you wish to start receiving expiry alerts by setting the WarningInterval configuration value. By default, it is set to 90 days as shown below.

<add key="WarningInterval" value="90" />

Can CertAlert Check For Certificates Used With STARTTLS?

CertAlert can check for SSL certificates used with STARTTLS SMTP. The STARTTLS ports checked by default are 25 and 587. This can be changed via the SmtpStartTlsPorts configuration option.

  <add key="SmtpStartTlsPorts" value="25,587"/>

How Do I Specify The Alerts I Receive?

CertAlert lets you specify which of the following events you wish to receive alerts for:

  • No Certificate Was Detected
  • Certificate Is Expiring
  • Certificate Has Expired

To specify which of the events listed above you would like to receive alerts for you should set the EmailAlerts configuration setting.

<add key="EmailAlerts" value="EXPIRED,EXPIRING" />

How Do I Specify The Certificates Reported?

CertAlert lets you specify which of the following certificate conditions are included in reports:

  • No Certificate Was Detected
  • Certificate Is Expiring
  • Certificate Has Expired
  • Certificate Is OK (it is neither expired nor expiring)

To specify which of the conditions listed above you would like included in the report, set the ReportConditions configuration setting. The example below specifies that only expiring and expired certificates should be included in the certificate report.

<add key="ReportConditions" value="EXPIRED,EXPIRING" />

How Do I Specify The IP Ranges I Want Checked?

CertAlert lets you specify the IP ranges you wish to be scanned in either nmap (e.g., 178.125.139.1-162) or CIDR (e.g., 192.168.0.0/24) notation. To use IPRanges, set UseIPRanges true and specify the ranges using the IPRanges configuration setting.

<add key="UseIPRanges" value="true" />
<add key="IPRanges" value="192.168.1.1-2,192.168.2.1-2,192.168.0.0/24" />

How Do I Specify The Ports I Want Checked?

CertAlert lets you specify the TCP ports you wish to be checked. You can specify individual ports and port ranges. To specify TCP ports use the Ports configuration setting. For a list of common SSL ports see: Common SSL ports.

<add key="Ports" value="443,444,1-65,44000,45000-45500" />

How Do I Disable The Licence Prompt?

To disable the accept licence prompt, use the command line argument i_accept_the_licence.

CertAlert i_accept_the_licence

How Do I Run CertAlert Automatically?

CertAlert can easily be run automatically by using the Windows Task Scheduler to call it. You will need to set the Task Scheduler "Start in" value to the folder where the CertAlert.exe is located. Also pass the command line argument i_accept_the_licence.

Below is an example of automating CertAlert

  • Unzip CertAlert to a folder (In this example we use "C:\CertAlert")
  • Open the Windows Task Scheduler - in the Start menu type "Task Scheduler"
  • Create a new task with the following settings:
    • General: Run whether user is logged in or not, Hidden
    • Triggers: Daily
    • Actions: Start program
    • Program/script: C:\CertAlert\CertAlert.exe
    • Arguments: i_accept_the_licence
    • Start in: C:\CertAlert
    • Stop the task if it runs longer than 3 hours (set this value to what's appropriate for your scan)

You can test that it works by selecting the task, right clicking and picking "Run".


How Do I Include Certificates In The Report?

To specify that the PEM formatted certificates should be included in the report, set the PemCertCol to true in the configuration file.

<add key="PemCertCol" value="true"/>

How Do I Specify The Fields Reported?

CertAlert lets you configure the fields/columns you want in the CSV report. The fields that can be included in the report are shown below. To include a field in the report set its value true in the config file. If you don't want a field included set its value false. Below are the default settings in the configuration file.


 
    <add key="HostCol" value="true"/>
    <add key="IpAddressCol" value="true"/>
    <add key="PortCol" value="true"/>
    <add key="CommonNameCol" value="true"/>
    <add key="IssuerOrgCol" value="true"/>
    <add key="IssuerCol" value="false"/>
    <add key="SubjectCol" value="false"/>
    <add key="SigAlgCol" value="true"/>
    <add key="KeySizeCol" value="true"/>
    <add key="SerialNumberCol" value="true"/>
    <add key="SelfSignedCol" value="true"/>
    <add key="VerifiedCol" value="true"/>
    <add key="SubAltNamesCol" value="true"/>
    <add key="Sha1FingerprintCol" value="true"/>
    <add key="NotBeforeCol" value="true"/>
    <add key="NotAfterCol" value="true"/>
    <add key="DaysTillExpiryCol" value="true"/>
    <add key="ExpiryStatusCol" value="true"/>
    <add key="PemCertCol" value="false"/>
    <add key="ErrorInfoCol" value="true"/>



Does CertAlert Support Server Name Indication (SNI)?

Yes, CertAlert supports Server Name Indication (SNI). You can try it against an SNI enabled site such as https://bob.sni.velox.ch. When a client supporting SNI connects to this site, the site returns a certificate with a common name of bob.sni.velox.ch. If the client doesn't support SNI, then the certificate returned has a common name of alice.sni.velox.ch.


Which Editor Is Best for Editing CertAlert.dll.config?

We highly recommend NotePad++ for editing the CertAlert.dll.config file. It's user-friendly and offers XML syntax highlighting. To enable this feature, simply select 'Language' from the menu and then choose 'XML'.


What's A Good Lightweight CSV File Viewer?

There are a number of CSV viewers that can be used for viewing CertAlert's CSV formatted reports. Here are two that you might like to try:

Also, if your system has Cygwin, column -t in a terminal window can be used.