Every certificate, caught before it expires.
certwatch discovers, scores, monitors and renews the TLS/SSL certificates across your infrastructure — and warns you before they take a service down. No agents. No SaaS. All data stays on your servers.
- $0 licensing
- No agent install
- Air-gap friendly
- PCI-DSS / ISO 27001
Everything between discovery and renewal.
Certificate expiry is a leading cause of outages, and most teams still track certs in spreadsheets. certwatch replaces the spreadsheet with a live inventory, health scoring, and automated workflows.
TLS Reconnaissance
Scan hosts and CIDR ranges over TLS; extract the full chain and handshake metadata — version, cipher, ALPN, OCSP, SCTs.
Health Scoring
Composite 0–100 score per certificate, weighing expiry, key strength, chain, OCSP and policy into one number.
Diff Detection
SHA-256 fingerprint diff across scans flags unexpected certificate swaps — a possible sign of compromise.
CT-Log Intelligence
Watch Certificate Transparency logs for rogue, shadow-IT and unauthorized wildcard issuance on your domains.
Policy Compliance
Enforce minimum key size, allowed algorithms and approved CAs — in block, warn or audit mode.
Impact Analysis
Graph the blast radius — one click on a certificate shows every service that depends on it.
CSR Lifecycle
Generate the CSR, track handoff, validate the returned cert and auto-link it to its service.
Multi-Tier Escalation
Configurable day-before-expiry thresholds with deduplication, daily digests and tiered escalation of unacknowledged alerts.
Drift Detection
Compare certificate sets across prod, staging, dev and DR; surface every mismatch side by side.
Synthetic Monitoring
The Beacon engine runs HTTP, TCP and ICMP-ping checks against endpoints, with per-stage timings and live TLS telemetry.
Auto-Grouping
Cluster certificates into logical services by SAN overlap with union-find — your estate maps itself, no manual tagging.
Distributed Scan Orchestration
12An in-process worker pool drains a PostgreSQL work queue with FOR UPDATE SKIP LOCKED for exactly-once delivery; optional stateless agents scale out — no Redis, no software on targets.
From discovery to alert, one pipeline.
A producer/consumer loop over a PostgreSQL work queue, with Certificate-Transparency and synthetic-uptime loops running continuously alongside.
- 01
Discover
Add scan targets (host or CIDR) and watched domains; subdomains are enumerated from CT logs and passive sources.
- 02
Queue
The scheduler enqueues scan jobs into Postgres; workers claim them with FOR UPDATE SKIP LOCKED.
- 03
Scan
A live TLS handshake captures the full chain, negotiated version, cipher, ALPN and stapled OCSP.
- 04
Validate & score
Real X.509 trust plus OCSP/CRL revocation feed the composite 0–100 Pulse health score.
- 05
Diff
Sentinel compares fingerprints across scans and classifies unexpected swaps by severity.
- 06
Alert
Cascade deduplicates, escalates and fans out to email, Slack, Teams, Telegram and signed webhooks.
Real screens, real signal.
Everything below is the actual certwatch UI, captured live — not a mockup.
Every certificate, scored and sorted.
A live inventory across domains and subdomains — each certificate with its issuer, algorithm, expiry countdown and 0–100 health score, in table, horizon or heatmap views.
- Issuer, key algorithm and SAN coverage
- Expiry countdown and composite health score
- Table · horizon · heatmap views
See what breaks before it breaks.
A D3 dependency graph maps every certificate to the services that depend on it. Click a node to trace the blast radius of a single expiry or compromise.
- Certificate-to-service topology
- Impact and risk level per node
- Click any node to trace the blast radius
Protocol and cipher health at a glance.
Grade every reachable endpoint on TLS version, cipher strength, chain validity and OCSP stapling — rolled into one security grade, with AI-assisted remediation hints.
- TLS 1.3 adoption and cipher strength
- Chain validity and OCSP stapling
- Per-endpoint health and latency
Compliance you can hand to an auditor
PCI-DSS / ISO-27001 control mapping with PDF, email and scheduled delivery.
Catch shadow-IT certificates
Certificate Transparency monitoring flags unmanaged and rogue certs the moment they are logged.
A NOC wall for the big screen
A full-bleed posture view for the operations wall — health, expiries and live CT findings.
One number that tells you what to fix first.
Every certificate gets a composite 0–100 score, so a thousand-cert fleet sorts itself by risk. Five weighted inputs:
Nothing leaves your network.
The scanner reaches your servers over TCP — no software to install on targets, no external SaaS in the path. Inventory, scores and audit trail live entirely on your infrastructure.
No agents
Scan over TCP from a worker pool. Targets stay untouched.
Air-gap friendly
No outbound SaaS dependency. Runs fully offline.
Compliance-ready
PCI-DSS and ISO 27001 certificate-control mapping built in.
Auth & multi-tenant
Local, LDAP and OIDC SSO; RBAC, API tokens, audit log, multi-org.
From clone to dashboard in 10 minutes.
Requirements: Docker and Docker Compose. The API runs migrations on boot — no manual SQL.
- 1
Clone and configure
Copy
.env.example, set a 32-byteJWT_SECRETandDB_PASSWORD. - 2
Bring it up
docker compose up -d— Postgres, API, web and nginx start together; scanning runs in-process. - 3
Create your org
Open
https://localhost:8443; the setup wizard creates the first organization and admin.
# clone git clone https://github.com/up99/certwatch.git cd certwatch cp .env.example .env # strong secret (API won’t boot under 32 bytes) JWT_SECRET=$(openssl rand -hex 32) # launch docker compose up -d ✓ postgres ready ✓ api migrations · scanning in-process ✓ web https://localhost:8443 → /setup
Replace the spreadsheet. Watch every cert.
Open source, Apache-2.0, self-hosted. Your certificates, your servers, $0.