Can CertControl monitor internal networks and not just internet-facing systems?

Yes. CertControl includes an on-premise agent that scans internal networks and sends results securely to the platform. The agent requires no inbound connections and works behind firewalls.

TLS & SSL Certificate Monitoring

TLS and SSL Certificate Monitoring — Continuous Visibility Across Every Endpoint

Q: What is the difference between TLS and SSL certificate monitoring?

SSL is the predecessor to TLS. Today, all SSL certificates are in practice TLS certificates. TLS/SSL monitoring covers both terms and refers to monitoring the certificates that secure HTTPS connections.

Q: What does TLS grading mean?

TLS grading assigns each endpoint a grade from A+ to F based on the quality of its TLS configuration — covering protocol versions, cipher suites, certificate chain health, HSTS, and other security headers. CertControl grades every endpoint automatically and continuously.

CertControl automatically scans all your TLS and SSL certificates — internet-facing and internal — and alerts you before problems occur. Not once. Continuously.

Start free trial See the product

14-day free trial · No credit card required · EU hosted

What gets monitored

Full TLS visibility — not just expiry dates

Most teams know when a certificate expires. Fewer know whether the chain is valid, whether OCSP validation works, or whether the server still offers deprecated TLS 1.0. CertControl covers all of it.

📅

Expiry dates and renewal windows

Automatic tracking of all certificate expiry with configurable alerts at 60, 30, 14, 7 and 1 day. With 47-day certificates arriving in 2029, this is critical infrastructure.

🔗

Certificate chain and OCSP

Full chain validation from leaf to root. OCSP status checks that detect revoked certificates before they cause browser warnings or connection failures.

⚡

TLS protocols and cipher suites

Detection of deprecated protocols (TLS 1.0/1.1, SSLv3) and weak cipher suites. A+ to F grading per endpoint — like Qualys SSL Labs but automated and continuous.

🏷️

SAN validation and domain coverage

Verification that a certificate's Subject Alternative Names actually cover the domains they are supposed to — including wildcard expansion and potential gaps.

🔍

Certificate Transparency logs

Monitoring CT logs to detect certificates issued to your domains that you do not know about. Critical for detecting unauthorised issuances and shadow IT.

🏢

Internal networks via on-premise agent

The CertControl agent scans internal endpoints behind your firewall and sends results securely to the platform. Complete visibility — no exceptions for internal systems.

Internet-facing vs. internal monitoring

Most outages start internally

Internet-facing certificates are visible. Internal certificates — on AD, intranets, mail servers, CI/CD pipelines, and internal API communication — are the ones that most often surprise teams, because nobody knew they existed.

Internet-facing scanning

Direct scanning from the CertControl platform
Full TLS protocol analysis and grading
HTTP headers (HSTS, CSP, X-Frame-Options)
Automatic subdomain discovery via CT logs
Supplier certificates on your domains

Internal network scanning (agent)

On-premise agent deployed in your network
Outbound connections only — no inbound required
Works behind firewalls and NAT
Same certificate data as internet-facing scanning
Unified view in the CertControl platform

Alerts and notifications

Alerts that actually reach the right people

An alert sent to a shared inbox is the same as no alert. CertControl sends to specific recipients, on the channels they use, with enough context to act immediately.

Configurable thresholds

Set alerts at exactly the right points for your renewal process — 60, 30, 14, 7, and 1 day before expiry. Separate thresholds for critical systems.

Email and webhooks

Notifications via email to named recipients and webhooks to Slack, Microsoft Teams, PagerDuty, or any system accepting HTTP POST.

Escalation and backup recipients

Configure escalation rules so critical certificates never depend on a single person. Backup recipients activate automatically when needed.

Frequently asked questions

What is TLS certificate monitoring?

TLS certificate monitoring is continuous automated scanning of your endpoints to detect certificate expiry, weak cipher suites, chain errors, and other TLS issues — before they cause outages or security gaps.

What is the difference between TLS and SSL monitoring?

SSL is the predecessor to TLS. Today all SSL certificates are in practice TLS certificates. TLS/SSL monitoring covers both terms — the certificates that secure HTTPS connections.

Can CertControl monitor internal systems behind a firewall?

Yes. The CertControl agent is deployed in your network and scans internal endpoints. The agent communicates outbound only to the CertControl platform — no inbound ports need to be opened.

What does TLS grading mean?

TLS grading assigns each endpoint a letter grade from A+ to F based on protocol versions, cipher suites, chain health, and security headers. CertControl grades every endpoint automatically and continuously — flagging anything below a B as a finding.

Does CertControl support ACME/automated renewal?

Yes. CertControl integrates with the ACME protocol (Let's Encrypt and other CAs) and can fully automate certificate renewal — so you never need to react to an expiry alert again.

Certificate lifecycle management → NIS2 certificate compliance → Guide: TLS certificate monitoring explained → See the full CertControl platform →

Start free trial Book demo