Log in Book demo Start free trial
 The platform

Stop certificate expiry
before it stops you

CertControl monitors all your TLS certificates, analyzes security configurations, and maps your attack surface — so operations and security teams know what to act on before something goes down.

Start free trial Book a demo

Cancel within 14 days and pay nothing  ·  Dedicated instance  ·  EU hosted

app.certcontrol.pro — Control Center
CertControl control center — security score, exposure and operational metrics
What's included

One system — not five half-solutions

Certificate monitoring, TLS analysis, attack surface visibility, automated renewal, and executive reporting are built in from day one — not bolted on afterwards.

🔐

Certificate visibility from issuance to expiry

Track every certificate: expiry date, chain health, OCSP revocation, SAN validation, and risk score — across production, test, and all other environments.

TLS security analysis and header checks

Detect weak protocols like TLS 1.0/1.1, deprecated cipher suites, and missing security headers such as HSTS and CSP. Each endpoint receives an A+ to F grade — so you know exactly what needs fixing.

🎯

Attack paths made visible

See concretely how known vulnerabilities, shadow assets, and open ports can be chained to reach critical systems. The 50 most dangerous paths are ranked with evidence — ready to act on.

📊

Reports for leadership and auditors

Four report types — Executive Summary, Operational Risk, Expiry Forecast, and Change/Drift Detection — downloadable as PDF and ready for the board or the next audit.

🤖

Certificate requests via ACME

CertControl requests certificates via ACME — HTTP-01 and DNS-01 challenges are handled automatically. Private keys are stored encrypted with AES-256-GCM. The issued certificate is installed manually on your server as a simple final step.

🛰️

Agent for internal networks

A lightweight Docker agent scans your internal network behind the firewall and sends only metadata outbound via HTTPS. No inbound ports, no VPN, no remote execution.

Platform in action

See what the platform actually shows

From ongoing certificate monitoring to executive reports that hold up in an audit.

app.certcontrol.pro — Operations Dashboard
Control Center
Unified command view — security score, exposure risk, attack surface, and operational health in one screen.
Attack Graph Exploration
Interactive attack graph — visualize how CVEs, shadow assets, and services connect into real attack paths with risk scoring.
External Scanner
External scanner — discover subdomains, resolved hosts, open ports, and TLS certificates across your internet-facing surface.
Scanner Fleet
Scanner fleet management — monitor internal, external, and discovery scanners across your entire network in real time.
Executive Summary
Executive Summary — grade distribution, 30-day trend, and finding impact score. Print to PDF for board and audit reporting.
Operations Dashboard
Operations Dashboard — 12-month certificate expiry forecast with urgency colour coding and per-month drill-down.
Why CertControl

Designed for you — not retrofitted for you

Enterprise capabilities without the enterprise price. Your data stays isolated, the architecture is modern, and you only pay for what you use.

🏗️

Your data — fully isolated from everyone else

Every customer runs in their own Docker environment with a separate database and network. No shared resources, no risk of your data ending up in the same container as someone else's.

Dedicated Docker instance Separate database Full data sovereignty EU hosted — included on all plans
🇪🇺

Danish company, European infrastructure

CertControl is operated by a Danish company with all infrastructure located in the EU. A data processing agreement is included on all paid plans — no separate negotiation required.

Data never leaves Europe GDPR-compliant processing Standard DPA included Built by Danish security engineers
⚙️

Direct access — no sales layer in between

If you need a specific feature, you talk directly to the people who build the platform. No six-month roadmap, no middlemen — and new features ship continuously.

Direct access to the engineering team Configured to your environment Modern stack — not legacy software New features every sprint
Security by design

We build the way we advise

A certificate management system should lead by example. Security is not added as a layer on top — it is the foundation the platform is built on.

AES-256-GCM
Passwords and keys encrypted at rest
Passwords BCrypt-hashed. API keys and ACME private keys AES-256-GCM encrypted. Reset tokens SHA-256 hashed. Nothing stored in plaintext.
Zero inbound
The agent calls out — never in
The on-premise agent communicates exclusively outbound via HTTPS. No inbound ports are opened, and there is no remote execution capability — neither planned nor possible.
CSRF + XSS
Application security from the ground up
CSRF tokens on all state-changing requests. Output consistently escaped to prevent XSS. Content-Security-Policy enforced in the browser.
TOTP 2FA
MFA and brute-force lockout
TOTP-based 2FA with backup codes. Five failed login attempts locks the account for 15 minutes. Constant-time comparisons prevent timing attacks.
Immutable
Full audit log — always
Every admin action, login, and configuration change logged with timestamp, user, and IP address. The log cannot be deleted or altered after the fact.
app.certcontrol.pro — Path Explorer
Attack path exploration view
On-premise agent

Internal networks — without opening a single port

Cloud-based monitoring tools cannot see internal certificates. The CertControl agent runs behind your firewall, scans locally, and sends only metadata outbound via encrypted HTTPS.

Outbound traffic only

The agent opens no ports and requires no VPN. All communication is outbound HTTPS — nothing else.

Internal names stay internal

Internal hostnames are automatically replaced with [masked] before data leaves the network. Your internal infrastructure is not visible from outside.

Lightweight Docker image

Approx. 200 MB, Alpine-based, runs as non-root. No database, no configuration beyond a token — runs anywhere Docker runs.

Never loses scan data

If the connection to the cloud drops, scan results are stored locally and sent automatically once the connection is restored.

How the agent works

🏢

Your internal network

TLS scan · OCSP check · HTTP headers · Service fingerprint · Hostname redaction

↓  Outbound HTTPS · HMAC-SHA256 signed · mTLS optional
☁️

CertControl Cloud

Unified dashboard · Security scoring · Expiry alerts · Push config to agents

app.certcontrol.pro — Scanner Fleet
Scanner Fleet
Scanner fleet management — monitor internal, external, and discovery scanners across your entire network in real time.
The team

Built by people who have been on call

CertControl is built by engineers who know what it means to be the person responsible when an expired certificate takes down the login flow — and the board wants to know how it happened. That experience is what the platform is built from.

Identity & Access Management

We know OIDC, SAML, and OAuth2 from the inside — and exactly what happens to an authentication flow when the certificate behind it expires without warning.

Kubernetes & Cloud Platforms

Container orchestration and cloud-native deployments are where certificate complexity compounds fastest — we built CertControl with that scale in mind.

Reverse Proxies & Edge Security

We have worked with F5, ISVA, and similar systems — and know that it is at the reverse proxy where misconfigured certificates typically cause the most damage.

Enterprise Operations & Compliance

We know audit and governance requirements from day-to-day work in enterprise environments. CertControl is built to meet them from the start — not retrofitted afterwards.

NIS2 Compliance

Document NIS2 compliance without extra systems

NIS2 Article 21 requires technical security measures, an asset inventory, and the ability to report incidents quickly. CertControl provides the register, the monitoring, and the documentation — ready for supervisory authorities.

Art. 21
Mapped to Article 21(2)(h)
Certificate and TLS controls mapped directly to NIS2 Article 21(2)(h) — covering policies on acquisition, development, and maintenance of network and information systems.
24 / 72h
Ready for 24-hour incident reporting
All certificate events, alerts, and changes are continuously logged. If an expired certificate caused an outage, you can document it within minutes — not hours.
Audit
Reports ready for audit
Executive Summary and Operational Risk reports provide the documentation supervisory authorities and external auditors expect — downloadable as PDF in one click.
Register
Asset inventory without extra tooling
Every certificate, endpoint, and TLS configuration is automatically tracked in a searchable register. The asset inventory requirement is met — without purchasing yet another system.
See full NIS2 coverage →
app.certcontrol.pro — NIS2 Compliance Report
NIS2 compliance report in CertControl
Get started

See what CertControl can do for you

Try the platform for 14 days with full access. Cancel before the deadline and pay nothing. Or book a demo and we will walk you through everything.

Start free trial Book a demo