Skip to main content
Monitoring

Endpoints

What an endpoint is, how CertShield checks it, and how to interpret its health status.

An endpoint is a live server that CertShield has actually connected to over TLS. If a domain is “the thing you own,” an endpoint is “the thing that answers the phone when a browser calls.” Understanding the distinction makes the rest of the app click.

How endpoints get created

You don’t create endpoints by hand. CertShield discovers them automatically the first time it successfully completes a TLS handshake to a hostname it knows about (from a domain you added or from a certificate it found in the CT logs).

Once discovered, the endpoint is re-checked on your plan’s schedule.

The health statuses

Every endpoint has one of these states, in roughly this order of severity:

  • Healthy — certificate is valid, chain is trusted, more than 30 days to expiry, no known issues. This is what you want.
  • Expiring — still valid today, but the countdown clock is on. CertShield alerts at 30, 14, 7, and 1 days by default (configurable).
  • Unauthorized issuer — the certificate was issued by a Certificate Authority that isn’t on your allow-list for this domain. Investigate. See Unauthorized issuer alerts.
  • Install error — CertShield reached the server, but the certificate installation is broken. Usually a bad chain, wrong hostname, or expired intermediate.
  • Expired — the certificate is past its “not after” date. Browsers are rejecting this connection right now.
  • Revoked — the Certificate Authority has explicitly revoked this certificate. Fix immediately. See Revoked certificates.
  • Unreachable — CertShield could not open a TCP connection to the endpoint. Usually a firewall change, a DNS change, or the server is down.
  • Pending — we’ve queued a check but haven’t completed it yet.

What each endpoint shows

On the endpoint detail page you’ll find:

  • The full certificate currently being served, with a link to its detail page.
  • TLS connection details — version, cipher suite, resolved IPs, OCSP stapling status, chain validation result.
  • A list of every certificate CertShield has seen that matches this endpoint’s hostname (handy for spotting rotation patterns).
  • Probe timestamps so you know how fresh the data is.

Check Now

Every endpoint has a Check Now button. Use it after making changes to force an immediate re-probe. The normal schedule keeps running in the background regardless.

Monitoring toggle

You can temporarily pause automatic checks on a single endpoint without archiving it. Flip Monitoring off and CertShield stops probing it until you turn it back on. Useful for maintenance windows.

Archiving

Archiving an endpoint hides it from the default list and pauses all monitoring and alerts for it. Archived endpoints do not count toward your plan’s endpoint limit, so archiving is the right move when you genuinely want CertShield to leave something alone.

You can unarchive at any time. If your plan is full when you try to unarchive, you’ll be asked to make room first.

What’s next

← Back to Help Center Contact support