Commonly asked questions about our enterprise certificate monitoring and discovery tool
CertAlert is our enterprise-grade certificate management solution that offers a comprehensive set of features, including:
CertAlert is compatible with all versions of Windows, starting from Windows 11 and Windows Server 2016 onwards. We are currently developing a Linux version of CertAlert. If you're interested in testing this version, please contact our team.
Yes, CertAlert is a comprehensive Certificate Expiry Monitor. It continuously tracks SSL certificates deployed across your networks and sends timely expiration notifications to designated recipients, ensuring certificates can be renewed before they impact your services.
Absolutely. CertAlert functions as a powerful Certificate Discovery Tool. It systematically scans your networks based on specified IP ranges (or a hosts file) and port ranges to locate deployed SSL certificates. The scan results are compiled into detailed reports that help identify potential issues such as weak algorithms, inadequate key lengths, or unknown certificate authorities.
Indeed, CertAlert serves as a comprehensive Certificate Audit Tool. It thoroughly scans your networks for SSL certificates and generates detailed reports that help identify potential compliance issues within your certificate inventory, ensuring your digital infrastructure meets security best practices and industry standards.
CertAlert is designed for easy deployment and use. Visit our Getting Started page for a step-by-step guide on downloading and running CertAlert for the first time.
Absolutely! We value customer input in our product development. If you have suggestions that would enhance CertAlert for your organization, please share them with us at [email protected].
Yes, you can optimize scan performance by adjusting the number of concurrent outgoing connection attempts.
This is controlled by the Connections
configuration value, which defaults to 256 as shown below:
<add key="Connections" value="256"/>
Yes, CertAlert will attempt to connect to all endpoints you specify, regardless of the underlying platform. This includes Windows, macOS, Linux, Unix, and various network devices. CertAlert's platform-agnostic scanning ensures certificate discovery across heterogeneous enterprise environments.
Yes, you can customize the advance notification period for certificate expiration by setting the
WarningInterval
configuration value. By default, it is set to 90 days as shown below:
<add key="WarningInterval" value="90" />
Yes, CertAlert supports checking SSL certificates used with STARTTLS SMTP.
The default STARTTLS ports checked are 25 and 587. You can customize this via the SmtpStartTlsPorts
configuration option:
<add key="SmtpStartTlsPorts" value="25,587"/>
CertAlert allows you to customize which events trigger alerts. The available options are:
To specify which events should trigger alerts, adjust the EmailAlerts
configuration setting:
<add key="EmailAlerts" value="EXPIRED,EXPIRING" />
CertAlert lets you customize which certificate conditions appear in your reports:
Configure this by setting the ReportConditions
value. The example below will only include
expiring and expired certificates in reports:
<add key="ReportConditions" value="EXPIRED,EXPIRING" />
CertAlert supports both nmap-style (e.g., 178.125.139.1-162) and CIDR notation (e.g., 192.168.0.0/24) for IP ranges.
To use IP ranges, set UseIPRanges
to true and specify the ranges with the IPRanges
setting:
<add key="UseIPRanges" value="true" />
<add key="IPRanges" value="192.168.1.1-2,192.168.2.1-2,192.168.0.0/24" />
CertAlert allows you to specify which TCP ports to check during scans. You can list individual ports and port ranges
using the Ports
configuration setting. For reference on common SSL ports, see our
Common SSL ports article.
<add key="Ports" value="443,444,1-65,44000,45000-45500" />
CertAlert can send email reports and alerts. To enable this
feature, you must configure your SMTP server settings within
the CertAlert.dll.config
file.
For most standard SMTP servers that do not require
authentication or a specific port, simply add the
SMTPServer
key with your server address:
<add key="SMTPServer" value="smtp.mydomain.com" />
If your SMTP server requires authentication (like a Gmail account) or runs on a port other than the default, you will need to provide more detailed configuration. The following example demonstrates a typical setup for Gmail:
<add key="SMTPServer" value="smtp.gmail.com" /> <add key="SMTPPort" value="587" /> <add key="SMTPRequiresAuthentication" value="true" /> <add key="SMTPUser" value="[email protected]" /> <add key="SMTPPassword" value="yourgmailpassword" /> <add key="SMTPUseSsl" value="true" />
SMTPServer
: The hostname or IP address of your SMTP server.SMTPPort
: (Optional) The port number your SMTP server uses. Default is usually 25, but common alternatives include 587 (for TLS) or 465 (for SSL).SMTPRequiresAuthentication
: Set to true if your server requires a username and password.SMTPUser
: Your username or email address for SMTP authentication.SMTPPassword
: Your password for SMTP authentication.SMTPUseSsl
: Set to true to enable SSL/TLS encryption for the connection.Note: Be sure to replace the placeholder values ([email protected], yourgmailpassword, and smtp.mydomain.com if using the basic example) with your actual SMTP server details and credentials.
You can schedule CertAlert to run automatically on Windows using the Task Scheduler.
To include PEM-formatted certificates in your reports, enable the PemCertCol
setting in the configuration file:
<add key="PemCertCol" value="true"/>
CertAlert allows you to customize which fields appear in your CSV reports. Set any field to "true" to include it or "false" to exclude it. Here are the default settings:
<add key="HostCol" value="true"/> <add key="IpAddressCol" value="true"/> <add key="PortCol" value="true"/> <add key="CommonNameCol" value="true"/> <add key="IssuerOrgCol" value="true"/> <add key="IssuerCol" value="false"/> <add key="SubjectCol" value="false"/> <add key="SigAlgCol" value="true"/> <add key="KeySizeCol" value="true"/> <add key="SerialNumberCol" value="true"/> <add key="SelfSignedCol" value="true"/> <add key="VerifiedCol" value="true"/> <add key="SubAltNamesCol" value="true"/> <add key="Sha1FingerprintCol" value="true"/> <add key="NotBeforeCol" value="true"/> <add key="NotAfterCol" value="true"/> <add key="DaysTillExpiryCol" value="true"/> <add key="ExpiryStatusCol" value="true"/> <add key="PemCertCol" value="false"/> <add key="ErrorInfoCol" value="true"/>
Yes, CertAlert fully supports Server Name Indication (SNI), allowing it to correctly identify certificates on servers that host multiple websites with different SSL certificates. You can verify this by scanning an SNI-enabled site such as https://bob.sni.velox.ch.
When an SNI-supporting client connects to this site, it returns a certificate with the common name bob.sni.velox.ch. Clients without SNI support receive a certificate for alice.sni.velox.ch instead.
We recommend NotePad++ for editing the CertAlert.dll.config file. It offers user-friendly interface and XML syntax highlighting. To enable syntax highlighting, select 'Language' from the menu and choose 'XML'.
Several options are available for viewing CertAlert's CSV reports:
We're ready to help with any additional questions. Email us at [email protected]