Welcome to CertShield

CertShield watches the SSL/TLS certificates on your domains so you never get paged at 2am by an expired cert. You add a domain, we find every certificate that’s ever been issued for it, check the live endpoints serving them, and alert you before anything breaks.

What CertShield monitors

• Domains you own — you add example.com and we take it from there.
• Every certificate ever issued for those domains — including ones on subdomains you may not know about, discovered from public Certificate Transparency logs.
• Live endpoints — the actual servers and load balancers serving those certificates over the public internet.
• Unauthorized certificates — if a certificate is issued by a Certificate Authority you haven’t approved, you hear about it.

What you’ll want to set up first

1. Add your first domain. Everything flows from here.
2. Review the certificates we discover. CertShield pulls a history from Certificate Transparency logs so you get an inventory on day one.
3. Configure alerts. Tell us where to reach you — email, Slack, or both.
4. Invite your team (optional) so you’re not the only one getting paged.

The Adding your first domain article walks through step 1 in detail.

The three things to understand

Most of CertShield revolves around three concepts:

• Domains are what you own (example.com, api.example.com).
• Certificates are the cryptographic identities issued to those domains.
• Endpoints are the live servers actually serving those certificates to the public internet.

A single domain can have many certificates over its lifetime, and many endpoints serving different ones at the same time. CertShield keeps them all in sync for you.

Where to go from here

• How CertShield finds your certificates
• Reading the dashboard
• Setting up alerts