What is CertAlert?

CertAlert is a .NET console application for managing SSL certificates. It scans your networks based on input IP ranges (or hostnames) and port ranges, and generates detailed CSV and summary PDF reports on the certificates it finds. Detected issues, such as expired, expiring, self-signed, md5, and short key certificates, are highlighted.

In addition to displaying progress in a PowerShell command window, CertAlert can send alerts and reports via email to multiple recipients. It can be run manually from the command window or scheduled to run periodically using the Windows Scheduler.

CertAlert Benefits

CertAlert offers the following benefits:

  • Prevent downtime by receiving timely alerts when certificates need renewing
  • Save time by automating certificate discovery and monitoring across your networks
  • Save money by reducing your certificate management overhead
  • Avoid lost sales because someone forgot to renew a certificate
  • Avoid brand damage because an expired certificate caused loss of trust

CertAlert Features

CertAlert offers many features including:

  • Scans for certificates by IP ranges or a hosts file
  • Can identify SSL certificates on: Windows, Linux, Unix, Devices, etc
  • Lets you specify which ports / port ranges should be checked
  • Understands the following types of SSL certificates (OV, DV, EV, self-signed etc)
  • Automated expiry alerts emailed to multiple contacts
  • Detailed certificate reporting
  • Identify problems with Issuers, Key Lengths, Algorithms etc
  • Supports many protocols including: HTTPS, LDAPS, POP3S, IMAPS, SMTPS
  • Also supports SMTP STARTTLS
  • Can run automatically using the Windows Task Scheduler

CertAlert Reports

Each time CertAlert runs, it creates two reports: a CSV and PDF formatted report. The PDF report identifies specific certificate issues such as self-signed certificates, short key certificates, certificates using the MD5 algorithm etc. The CSV report contains detailed information about all the certificates found. An example CSV report showing just some of the the fields that can be included is shown below.

CertAlert Report Columns

The table below provides a description of each of the fields that you can configure to be included in a CSV report.

Table 1. Certificate Report Fields
Field Heading Description
Hostname A hostname or IP address indicating the target host
Port The TCP port used to communicate with the remote server
Common Name The Common Name (CN) of the server's certificate. This normally matches the fully qualified domain name of the server CertAlert connected to to get the certificate.
Issuer Org. The organisation part of the issuer's distinguished name
Issuer A distinguished name defining the entity that issued the certificate
Subject A Distinguished Name defining the entity associated with the certificate
Signature Algorithm The algorithm used to sign the certificate Lets you identify the presence of insecure algorithms, such as MD5
Key Size The RSA key size (bits)
Serial Number The certificate's serial number
SelfSigned Indicates if the certificate is a self-signed certificate
Verified Indicates if the certificate was verified inline with rfc5280
SANS The certificate's DNS subject alternative names
NotBefore The date the certificate becomes valid.
NotAfter The date after which the certificate is no longer valid.
Days The number of complete days before the certificate expires
ExpiryStatus One of the following: OK, EXPIRING, EXPIRED, ERROR
Certificate The complete certificate (PEM Formatted)
ErrorInfo This field contains information about errors that occurred when getting or validating the certificate.

Running CertAlert

The screenshot below shows the CertAlert output when run from the console. CertAlert can also be easily automated or scripted. See our Getting Started page for information about downloading and running CertAlert for the first time.

More About What CertAlert Does

Like a passport or driving licence, an SSL certificate has a validity period. When a CA issues a certificate, it includes an expiration date. The certificate's expiration date is normally one or two years from the date of issue. To ensure that a certificate remains valid, it must be renewed with a CA prior to its expiration date. When an organisation has many certificates with different expiration dates issued from multiple CAs the task of managing them can become arduous and error-prone. CertAlert can reduce the risk of a certificate being left to expire by periodically querying your servers and alerting you in good time when certificates need renewing.

Using an IP range or text file of hostnames, CertAlert will report the expiration status of each certificate it finds. It provides detailed CSV reports of the certificate information collected; the report format is suitable for importing into other applications such as a spreadsheet or database. While running, CertAlert can write certificate details to a DOS command window to provide feedback on its progress. In addition, alerts and a summary report can be emailed by CertAlert to one or more recipients. CertAlert can be run manually from a DOS command window or called periodically by the Windows Task Scheduler.

For more information also see the CertAlert FAQ