Skip to content

SSLMate

Menu
Help Topics

Introduction to Cert Spotter

Cert Spotter is a comprehensive monitoring tool for SSL certificates. You provide Cert Spotter a list of your domains, and Cert Spotter alerts you about potential availability or security problems with your SSL certificates.

Cert Spotter can do the following:

  • Automatically find your sub-domains
  • Detect certificates that are expiring soon
  • Detect certificates that are not installed correctly
  • Detect certificates that might be unauthorized

Cert Spotter notifies you about potential problems via email, Slack, or webhook. It also provides a console where you can see everything in one place.

Your Cert Spotter Console

To access your Cert Spotter console visit https://sslmate.com/console/monitoring.

The Cert Spotter console is divided into the following pages:

  • Monitored Endpoints - lists your endpoints with basic information like certificate expiration.
  • Endpoints with Expiring Certs - lists your endpoints which have expiring certificates.
  • Endpoints with Install Errors - lists your endpoints whose certificates are not installed correctly.
  • Email Domains - lists your domains which are can be used for receiving email, and the status of their MTA-STS policies.
  • Discovered Certificates - lists all of the active certificates for your domains.
  • Unknown Certificates - lists certificates for your domains which are not confirmed as being legitimate.
  • Settings - configure your monitored domain list, authorized certificate authority list, notifications, and other settings.

Each page can be accessed using the links at the top of the Cert Spotter console. You may need to scroll to the right if not all of the links fit on your screen.

Endpoints

An endpoint is a host name, such as example.com or www.example.com, which has an SSL certificate. Your endpoint list contains the following columns:

  • Endpoint Name - the full host name of the endpoint. Click to view details about the endpoint.
  • Issuer - the name of the certificate authority which issued the endpoint's certificate. Cert Spotter consults the Common CA Database to determine the true issuer of the certificate, which is more accurate than the certificate's Issuer field.
  • Expiration - the expiration date of the endpoint's certificate.
  • Installation - If "Healthy", then Cert Spotter verified that the certificate is correctly installed. If "Bad", then Cert Spotter detected a problem with the certificate's expiration, and you can click for details. If "Unknown", then Cert Spotter was unable to check the certificate's installation, and you can click for details.

When an endpoint is publicly-accessible (on port 443 by default), the Issuer, Expiration, and Installation columns reflect information determined by contacting the endpoint.

When Cert Spotter can't contact an endpoint, the Issuer and Expiration columns are determined by searching Certificate Transparency logs for the endpoint's certificate. When an endpoint has more than one certificate, Cert Spotter uses the one with the latest expiration date. The Installation column is always "Unknown" when Cert Spotter can't contact an endpoint.

Discovered Certificates

Your Discovered Certificates page lists the unexpired SSL certificates for your domains. Cert Spotter builds this list by searching public Certificate Transparency logs. The list contains the following columns:

  • ID - an ID that uniquely identifies the certificate. Click to view details about the certificate.
  • Issuer - the name of the certificate authority which issued the certificate. Cert Spotter consults the Common CA Database to determine the true issuer of the certificate, which is more accurate than the certificate's Issuer field.
  • Domains - the domains certified by the certificate, taken from Subject Alternative Name (SAN) and Common Name (CN) fields.
  • Recognition - "Known" or "Unknown" as described below.
  • Expiration - the expiration date of the certificate. If the certificate has been or will be revoked, the expiration date is crossed out and replaced with the revocation date.

Certificate Recognition

Cert Spotter considers a certificate known if at least one of the following is true:

  • The certificate was issued by one of your authorized certificate authorities (as configured on your Settings page).
  • The certificate's public key has been authorized by clicking the appropriate button on the certificate's details page, or though the API.
  • The certificate has been manually acknowledged by clicking the button on the certificate's details page.
  • (Only if enabled on your Settings page) The certificate complies with the relevant CAA record set.

You can leverage this feature to distinguish between certificates that are issued through your authorized channels and certificates that might be evidence of shadow IT or cyberattacks. Cert Spotter does not notify you about known certificates, reducing alert fatigue from routine renewals of legitimate certificates.

Notifications

Cert Spotter sends the following notifications:

  • An unknown certificate has been issued.
  • A daily summary of endpoints whose certificates are expiring soon.
  • An endpoint's certificate is not installed correctly.
  • An endpoint's certificate installation has been fixed.
  • Cert Spotter has been unable to monitor an endpoint's certificate installation for several days.

Notifications are delivered to your account's email address by default. If your plan supports it, you can also route notifications to other email addresses, a Slack channel, or a webhook.

Settings

Use your Settings page to configure:

  • The list of domain names to monitor. You do not need to configure sub-domains; Cert Spotter will find them automatically.
  • The list of sub-domains to exclude from monitoring. You may wish to exclude sub-domains that are hosted by third parties so you don't receive notifications about problems that aren't your responsibility.
  • The list of authorized certificate authorities (see Certificate Recognition above).
  • The email addresses, Slack channels, and webhooks to use for notifications.
  • The number of days before expiration to begin warning about expiring certificates.

It is also possible to configure certain settings on a per-domain basis by clicking the "Settings" link next to the domain in your Monitored Domains list. The following settings can be configured:

  • Authorized certificate authorities.
  • The number of days before expiration to begin warning about expiring certificates.
  • The port numbers to contact when checking for certificate installation.