You don't know what you're not monitoring — and that's the problem
CertControl continuously scans all your TLS and SSL certificates — internet-facing and internal. Expiry, weak configurations, and chain errors are caught before they reach production. Not once. All the time.
14-day free trial · No credit card required · EU hosted
Expiry dates are just the beginning
Most teams know when a certificate expires. Fewer know whether the chain is complete, whether OCSP validation works, or whether the server still offers TLS 1.0 to anyone who asks. CertControl covers the full picture — automatically, on every scan.
Expiry and renewal window
CertControl tracks all certificate expiry and alerts at the thresholds you define. With 47-day certificates becoming mandatory in 2029, automated tracking is no longer a nice-to-have — it is critical infrastructure.
Certificate chain and OCSP
We validate the chain from leaf certificate to root and check OCSP status continuously. A revoked certificate is detected by CertControl before browsers and API clients start rejecting it.
TLS protocol and cipher suites
CertControl detects deprecated TLS 1.0/1.1 and weak cipher suites and assigns each endpoint a grade from A+ to F. The same information as a manual SSL Labs test — but automated and updated on every scan.
SAN validation and domain coverage
We verify that a certificate's Subject Alternative Names actually cover the domains they are meant to protect — including wildcard expansion and gaps that emerge as infrastructure changes.
Certificate Transparency logs
CertControl monitors CT logs and catches certificates issued to your domains that you were not aware of. This is the first line of defence for detecting unauthorised issuances and shadow IT.
Internal networks via on-premise agent
The CertControl agent scans internal endpoints behind your firewall and sends results securely to the platform. No exceptions for internal systems — AD, mail, CI/CD, and internal API traffic are monitored on the same terms as internet-facing infrastructure.
The certificates that surprise you most are the ones nobody knew about
Internet-facing certificates are visible. Internal certificates — on AD, intranets, mail servers, CI/CD pipelines, and internal API communication — are the ones that most often cause outages, because they are on nobody's radar. CertControl scans both sides from the same platform.
Internet-facing scanning
- CertControl scans directly from the platform — no installation required
- Full TLS protocol analysis and grading per endpoint
- HTTP security headers: HSTS, CSP, X-Frame-Options
- Automatic subdomain discovery via CT logs
- Supplier certificates on your domains are monitored too
Internal network scanning (agent)
- On-premise agent installed in your network in minutes
- Outbound connections only — no inbound ports opened
- Works behind firewalls, proxies, and NAT without exceptions
- Same certificate data and grading as internet-facing scanning
- Unified view of all endpoints in one platform
An alert in a shared inbox is the same as no alert
CertControl sends to the right people, on the channels they actually use, with enough context to act without digging through dashboards. Escalation happens automatically if no one acknowledges the alert.
Thresholds you configure
Choose when alerts fire — 60, 30, 14, 7, or 1 day before expiry. Critical systems can have tighter thresholds. You configure per endpoint group, not globally.
Email and webhooks
Alerts go to named recipients by email and via webhooks to Slack, Microsoft Teams, PagerDuty, or any system that accepts HTTP POST. Certificate expiry surfaces in the channel your team already uses.
Automatic escalation
Set up backup recipients that activate if no one responds to an alert. Critical certificates never depend on one person who is on leave or out sick.
Frequently asked questions
What is TLS certificate monitoring?
TLS certificate monitoring is continuous automated scanning of your endpoints to detect certificate expiry, weak cipher suites, incomplete chains, and other TLS issues — before they cause outages or security gaps. Expiry is only one of many parameters: a misconfigured cipher suite or a missing intermediate certificate can bring services down even when the certificate is valid.
What is the difference between TLS and SSL monitoring?
SSL is the predecessor to TLS and is no longer in use. All modern certificates are in practice TLS certificates. The terms are used interchangeably, and TLS/SSL certificate monitoring covers both — it refers to monitoring the certificates that secure HTTPS connections and encrypted communication.
Can CertControl monitor internal systems behind a firewall?
Yes. The CertControl agent is installed in your network and scans internal endpoints — AD servers, mail, intranets, and internal API communication. The agent only makes outbound connections to the CertControl platform. No inbound ports are opened, and it works behind firewalls and NAT.
When does CertControl send alerts?
You set the thresholds yourself — typically 60, 30, 14, 7, and 1 day before expiry. CertControl sends alerts via email to named recipients and via webhooks to Slack, Teams, and other systems. You can set separate thresholds for critical systems.
Does CertControl support ACME certificate requests?
Yes. CertControl integrates with the ACME protocol and automatically requests certificates via Let's Encrypt and other ACME-compatible CAs — HTTP-01 and DNS-01 challenges are handled automatically, and private keys are stored encrypted with AES-256-GCM. The issued certificate is installed manually on your server. From 2029, the maximum certificate lifetime drops to 47 days — ACME integration is the only scalable solution.