What Is CertAlert?

CertAlert does many things, here are just a few:

  • Attempts to discover certificates deployed across your networks
  • Emails alerts when a certificate is approaching its expiration date
  • Analyses certificates and identifies those certificates that have vulnerabilities
  • Emails detailed PDF and CSV formated reports

What Are CertAlert's System Requirements?

CertAlert runs on all versions of Windows from Windows XP SP2 on. It requires .NET 2.0 or later, but this is pre-installed already on Windows systems.


Is CertAlert A Certificate Expiry Monitor?

Yes, CertAlert is a Certificate Expiry Monitor. It will monitor SSL certificates deployed on your networks and email expiry notifications to the appropriate parties; thus allowing certificates to be renewed in a timely manner.


Is CertAlert A Certificate Discovery Tool?

Yes, CertAlert is a Certificate Discovery Tool. It will scan your networks by IP ranges (or hosts file) and port ranges trying to find SSL certificates deployed. The results of the scan are written to a detailed report; this report can be used to identify issues with the certificates CertAlert has found - such as certificates with weak algorithms, short keys, unknown issuer etc.


Is CertAlert A Certificate Audit Tool?

Yes, CertAlert is a Certificate Audit Tool. As mentioned above, it will scan your networks for SSL certificates and create a detailed report that can be used to identify potential non compliance issues within your certificate population.


How Do I Download And Run CertAlert?

CertAlert is very easy to use. See our Getting Started page for step by step guide on downloading and running for the first time.


How Do I Send The Scan Results To My CertCentre Account?

If you have a CertCentre, account (email [email protected] to request one), then you can configure CertAlert to send its results directly to your CertCentre account (over an encrypted link). All you need to do is set the following values in the CertAlert.exe.config file.

<add key="SendResultsToCertCentre" value="true"/>
<add key="CertCentreUsername" value="your certcentre username here"/>
<add key="CertCentrePassword" value="your certcentre password here"/>

If you are behind a proxy you will need to set a couple of extra values to tell CertAlert to use your proxy when connecting to CertCentre.

<add key="UseProxyForCertCentre" value="true"/>
<add key="ProxyAddressForCertCentre" value="yourProxyIPaddr:yourProxyPortnumber"/>


Can I Request New Features?

Yes, please do! We want to hear from you about the features you think would make CertAlert better. Please e-mail [email protected] or call us and let us know the feature or features you want.


Is The Scan Speed Configurable?

Yes, you can specify the number of concurrent outgoing connection attempts by setting the Connections configuration value. By default, it is set to 256 as shown below.

<add key="Connections" value="256"/>

Does CertAlert Try to Discover Certificates On Any Operating System?

Yes, CertAlert will attempt to connect to all end points you tell it to on any platform including Windows, Mac OS, Linux, Unix, and Devices.


Is The Certificate Expiry Warning Period Configurable?

Yes, you can specify the number of days before certificate expiry you wish to start receiving expiry alerts by setting the WarningInterval configuration value. By default, its is set to 90 days as shown below.

<add key="WarningInterval" value="90" />

Can CertAlert Check For Certificates Used With STARTTLS?

CertAlert can check for SSL certificates used with STARTTLS SMTP. The STARTTLS ports checked by default are 25 and 587. This can be changed via the SmtpStartTlsPorts configuration option.

  <add key="SmtpStartTlsPorts" value="25,587"/>

How Do I Specify The Alerts I Receive?

CertAlert lets you specify which of the following events you wish to receive alerts for:

  • No Certificate Was Detected
  • Certificate Is Expiring
  • Certificate Has Expired

To specify which of the events listed above you would like to receive alerts for you should set the EmailAlerts configuration setting.

<add key="EmailAlerts" value="EXPIRED,EXPIRING" />

How Do I Specify The Certificates Reported?

CertAlert lets you specify which of the following certificate conditions are included in reports:

  • No Certificate Was Detected
  • Certificate Is Expiring
  • Certificate Has Expired
  • Certificate Is OK (it is neither expired nor expiring)

To specify which of the conditions listed above you would like included in the report, set the ReportConditions configuration setting. The example below specifies that only expiring and expired certificates should be included in the certificate report.

<add key="ReportConditions" value="EXPIRED,EXPIRING" />

How Do I Specify The IP Ranges I Want Checked?

CertAlert lets you specify the IP ranges you wish to be scanned in either nmap (e.g., 178.125.139.1-162) or CIDR (e.g., 192.168.0.0/24) notation. To use IPRanges, set UseIPRanges true and specify the ranges using the IPRanges configuration setting.

<add key="UseIPRanges" value="true" />
<add key="IPRanges" value="192.168.1.1-2,192.168.2.1-2,192.168.0.0/24" />

How Do I Specify The Ports I Want Checked?

CertAlert lets you specify the TCP ports you wish to be checked. You can specify individual ports and port ranges. To specify TCP ports use the Ports configuration setting. For a list of common SSL ports see: Common SSL ports.

<add key="Ports" value="443,444,1-65,44000,45000-45500" />

How Do I Disable The Licence Prompt?

To disable the accept licence prompt, use the command line argument i_accept_the_licence.

CertAlert i_accept_the_licence

How Do I Run CertAlert Automatically?

CertAlert can easily be run automatically by using the Windows Task Scheduler to call it. You will need to set the Task Scheduler "Start in" value to the folder where the CertAlert.exe is located. Also pass the command line argument i_accept_the_licence.

Below is an example of automating CertAlert on Windows 7

  • Unzip CertAlert to a folder (In this example we use "C:\CertAlert")
  • Open the Windows Task Scheduler - in the Start menu type "Task Scheduler"
  • Create a new task with the following settings:
    • General: Run whether user is logged in or not, Hidden
    • Triggers: Daily
    • Actions: Start program
    • Program/script: C:\CertAlert\CertAlert.exe
    • Arguments: i_accept_the_licence
    • Start in: C:\CertAlert
    • Stop the task if it runs longer than 3 hours (set this value to what's appropriate for your scan)

You can test that it works by selecting the task, right clicking and picking "Run".


How Do I Include Certificates In The Report?

To specify that the certificates should be included in the report use the IncludeCert configuration setting.

<add key="IncludeCert" value="true"/>

How Do I Specify The Fields Reported?

CertAlert lets you configure the fields/columns you want in the CSV report. The fields that can be included in the report are shown below. To include a field in the report set its value true in the config file. If you don't want a field included set its value false.


 
    <add key="HostCol" value="true"/>
    <add key="PortCol" value="true"/>
    <add key="CommonNameCol" value="true"/>
    <add key="IssuerOrgCol" value="true"/>
    <add key="IssuerCol" value="false"/>
    <add key="SubjectCol" value="false"/>
    <add key="SigAlgCol" value="true"/>
    <add key="KeySizeCol" value="true"/>
    <add key="SerialNumberCol" value="true"/>
    <add key="VerifiedCol" value="false"/>
    <add key="SubAltNamesCol" value="true"/>
    <add key="Sha1FingerprintCol" value="true"/>
    <add key="NotBeforeCol" value="true"/>
    <add key="NotAfterCol" value="true"/>
    <add key="DaysTillExpiryCol" value="true"/>
    <add key="ExpiryStatusCol" value="true"/>
    <add key="PemCertCol" value="false"/>
    <add key="ErrorInfoCol" value="true"/>


Does CertAlert Support Server Name Indication (SNI)?

Yes, CertAlert supports Server Name Indication (SNI). You can try it against an SNI enabled site such as https://bob.sni.velox.ch. When a client supporting SNI connects to this site, the site returns a certificate with a common name of bob.sni.velox.ch. If the client doesn't support SNI, then the certificate returned has a common name of alice.sni.velox.ch.


What's A Good Editor For Editing CertAlert.exe.config ?

A very good editor for editing the CertAlert.exe.config file is NotePad++. To switch on XML highlighting: from the menu select Language and then click XML in the list displayed.


What's A Good Lightweight CSV File Viewer?

There are a number of CSV viewers that can be used for viewing CertAlert's CSV formatted reports. Here are two you might like to try:

Also, if your system has Cygwin, column -t in a terminal window can be used.