Please feel free to email rather than use the FAQ if you have any questions. We are friendly people and love hearing from anyone using or trying out CertAlert. So please send an email to email@example.com and we will do all we can to answer your questions.
CertAlert does many things, here are just a few:
CertAlert runs on all versions of Windows from Windows XP SP2 on. It requires .NET 2.0 or later, but this is pre-installed already on Windows systems.
Yes, CertAlert is a Certificate Expiry Monitor. It will monitor SSL certificates deployed on your networks and email expiry notifications to the appropriate parties; thus allowing certificates to be renewed in a timely manner.
Yes, CertAlert is a Certificate Discovery Tool. It will scan your networks by IP ranges (or hosts file) and port ranges trying to find SSL certificates deployed. The results of the scan are written to a detailed report; this report can be used to identify issues with the certificates CertAlert has found - such as certificates with weak algorithms, short keys, unknown issuer etc.
Yes, CertAlert is a Certificate Audit Tool. As mentioned above, it will scan your networks for SSL certificates and create a detailed report that can be used to identify potential non compliance issues within your certificate population.
If you have a CertCentre, account (email firstname.lastname@example.org to request one), then you can configure CertAlert to send its results directly to your CertCentre account (over an encrypted link). All you need to do is set the following values in the CertAlert.exe.config file.
<add key="SendResultsToCertCentre" value="true"/> <add key="CertCentreUsername" value="your certcentre username here"/> <add key="CertCentrePassword" value="your certcentre password here"/>
If you are behind a proxy you will need to set a couple of extra values to tell CertAlert to use your proxy when connecting to CertCentre.
<add key="UseProxyForCertCentre" value="true"/> <add key="ProxyAddressForCertCentre" value="yourProxyIPaddr:yourProxyPortnumber"/>
Yes, please do! We want to hear from you about the features you think would make CertAlert better. Please e-mail email@example.com or call us and let us know the feature or features you want.
Yes, you can specify the number of concurrent outgoing connection attempts
by setting the
Connections configuration value. By default, it is set to 256
as shown below.
<add key="Connections" value="256"/>
Yes, CertAlert will attempt to connect to all end points you tell it to on any platform including Windows, Mac OS, Linux, Unix, and Devices.
Yes, you can specify the number of days before certificate
expiry you wish to start receiving expiry alerts by setting the
WarningInterval configuration value. By default, its is set to 90 days as shown below.
<add key="WarningInterval" value="90" />
CertAlert can check for SSL certificates used with STARTTLS SMTP.
The STARTTLS ports checked by default are 25 and 587. This can be changed via the
<add key="SmtpStartTlsPorts" value="25,587"/>
CertAlert lets you specify which of the following events you wish to receive alerts for:
To specify which of the events listed above you would like
to receive alerts for you should set the
<add key="EmailAlerts" value="EXPIRED,EXPIRING" />
CertAlert lets you specify which of the following certificate conditions are included in reports:
To specify which of the conditions listed above you would like
included in the report, set the
configuration setting. The example below
specifies that only expiring and expired certificates should
be included in the certificate report.
<add key="ReportConditions" value="EXPIRED,EXPIRING" />
CertAlert lets you specify the IP ranges you wish to be scanned in either
nmap (e.g., 18.104.22.168-162) or CIDR (e.g., 192.168.0.0/24) notation.
To use IPRanges, set
UseIPRanges true and specify the ranges using the
<add key="UseIPRanges" value="true" />
<add key="IPRanges" value="192.168.1.1-2,192.168.2.1-2,192.168.0.0/24" />
CertAlert lets you specify the TCP ports you wish to be checked.
You can specify individual ports and port ranges.
To specify TCP ports use the
Ports configuration setting.
For a list of common SSL ports see: Common SSL ports.
<add key="Ports" value="443,444,1-65,44000,45000-45500" />
To disable the accept licence prompt, use the command line argument i_accept_the_licence.
CertAlert can easily be run automatically by using the Windows Task Scheduler to call it. You will need to set the Task Scheduler "Start in" value to the folder where the CertAlert.exe is located. Also pass the command line argument i_accept_the_licence.
Below is an example of automating CertAlert on Windows 7
You can test that it works by selecting the task, right clicking and picking "Run".
To specify that the certificates should be included in the report use the
IncludeCert configuration setting.
<add key="IncludeCert" value="true"/>
CertAlert lets you configure the fields/columns you want in the CSV report. The fields that can be included in the report are shown below. To include a field in the report set its value true in the config file. If you don't want a field included set its value false.
<add key="HostCol" value="true"/> <add key="PortCol" value="true"/> <add key="CommonNameCol" value="true"/> <add key="IssuerOrgCol" value="true"/> <add key="IssuerCol" value="false"/> <add key="SubjectCol" value="false"/> <add key="SigAlgCol" value="true"/> <add key="KeySizeCol" value="true"/> <add key="SerialNumberCol" value="true"/> <add key="VerifiedCol" value="false"/> <add key="SubAltNamesCol" value="true"/> <add key="Sha1FingerprintCol" value="true"/> <add key="NotBeforeCol" value="true"/> <add key="NotAfterCol" value="true"/> <add key="DaysTillExpiryCol" value="true"/> <add key="ExpiryStatusCol" value="true"/> <add key="PemCertCol" value="false"/> <add key="ErrorInfoCol" value="true"/>
Yes, CertAlert supports Server Name Indication (SNI). You can try it against an SNI enabled site such as https://bob.sni.velox.ch. When a client supporting SNI connects to this site, the site returns a certificate with a common name of bob.sni.velox.ch. If the client doesn't support SNI, then the certificate returned has a common name of alice.sni.velox.ch.
A very good editor for editing the CertAlert.exe.config file is NotePad++. To switch on XML highlighting: from the menu select Language and then click XML in the list displayed.
There are a number of CSV viewers that can be used for viewing CertAlert's CSV formatted reports. Here are two you might like to try: