CertAlert is a .NET console application for managing SSL certificates. It scans your networks based on input IP ranges (or hostnames) and port ranges, and generates detailed CSV and summary PDF reports on the certificates it finds. Detected issues, such as expired, expiring, self-signed, md5, and short key certificates, are highlighted.
In addition to displaying progress in a PowerShell command window, CertAlert can send alerts and reports via email to multiple recipients. It can be run manually from the command window or scheduled to run periodically using the Windows Scheduler.
CertAlert offers the following benefits:
CertAlert offers many features including:
Each time CertAlert runs, it creates two reports: a CSV and PDF formatted report. The PDF report identifies specific certificate issues such as self-signed certificates, short key certificates, certificates using the MD5 algorithm etc. The CSV report contains detailed information about all the certificates found. An example CSV report showing just some of the the fields that can be included is shown below.
The table below provides a description of each of the fields that you can configure to be included in a CSV report.
|Hostname||A hostname or IP address indicating the target host|
|Port||The TCP port used to communicate with the remote server|
|Common Name||The Common Name (CN) of the server's certificate. This normally matches the fully qualified domain name of the server CertAlert connected to to get the certificate.|
|Issuer Org.||The organisation part of the issuer's distinguished name|
|Issuer||A distinguished name defining the entity that issued the certificate|
|Subject||A Distinguished Name defining the entity associated with the certificate|
|Signature Algorithm||The algorithm used to sign the certificate Lets you identify the presence of insecure algorithms, such as MD5|
|Key Size||The RSA key size (bits)|
|Serial Number||The certificate's serial number|
|SelfSigned||Indicates if the certificate is a self-signed certificate|
|Verified||Indicates if the certificate was verified inline with rfc5280|
|SANS||The certificate's DNS subject alternative names|
|NotBefore||The date the certificate becomes valid.|
|NotAfter||The date after which the certificate is no longer valid.|
|Days||The number of complete days before the certificate expires|
|ExpiryStatus||One of the following: OK, EXPIRING, EXPIRED, ERROR|
|Certificate||The complete certificate (PEM Formatted)|
|ErrorInfo||This field contains information about errors that occurred when getting or validating the certificate.|
The screenshot below shows the CertAlert output when run from the console. CertAlert can also be easily automated or scripted. See our Getting Started page for information about downloading and running CertAlert for the first time.
Like a passport or driving licence, an SSL certificate has a validity period. When a CA issues a certificate, it includes an expiration date. The certificate's expiration date is normally one or two years from the date of issue. To ensure that a certificate remains valid, it must be renewed with a CA prior to its expiration date. When an organisation has many certificates with different expiration dates issued from multiple CAs the task of managing them can become arduous and error-prone. CertAlert can reduce the risk of a certificate being left to expire by periodically querying your servers and alerting you in good time when certificates need renewing.
Using an IP range or text file of hostnames, CertAlert will report the expiration status of each certificate it finds. It provides detailed CSV reports of the certificate information collected; the report format is suitable for importing into other applications such as a spreadsheet or database. While running, CertAlert can write certificate details to a DOS command window to provide feedback on its progress. In addition, alerts and a summary report can be emailed by CertAlert to one or more recipients. CertAlert can be run manually from a DOS command window or called periodically by the Windows Task Scheduler.
For more information also see the CertAlert FAQ