Best Practices

Initial Setup Checklist

Checklist: Download and installation

  • Download sslbrain from sslbrain.com (incl. license and API token)
  • Run the Docker container
  • Complete the setup wizard (admin account, encryption, Cloud connection)
  • Save the backup key (print or store securely)
  • Test vault unsealing (restart the container, confirm it starts correctly)
  • Log in and review the dashboard

Checklist: First server

  • Choose connection method: SSH (Linux), Service Agent (Windows), WinRM (Windows alternative)
  • Create credential: username/password or SSH key
  • Add server: hostname, credential, test connection
  • Review discovered services (IIS sites, Nginx vhosts, Exchange, etc.)
  • Run the certificate wizard
  • Verify the certificate is installed correctly

Scaling

Shared credentials

Use the same credential for servers with the same login (e.g. domain admin for all Windows servers).

Cloning

Clone setup from the first server to the next ones (one click).

Deployment plan

Create a deployment plan for all servers with the same certificate.

Large scale (50+ servers)

Consider GPO distribution of the Service Agent MSI.

Monitoring

Checklist: Notifications

  • Configure notification channels: email as a minimum, Slack/webhook for teams
  • Set alert rules: certificate expires in 30 days, deployment failed, server connection lost
  • Test notifications: click "test" to verify
  • Review alerts weekly in the dashboard

Scheduled maintenance

Interval Task
Daily Check dashboard for alerts
Weekly Review audit log for unauthorised changes
Monthly Check certificate expiry forecast
Quarterly Review server list, remove decommissioned servers
Annually Renew license, test disaster recovery

Disaster Recovery

Automatic backup

Automatic daily backup to /data/backups/ (7-day retention by default).

Manual backup

Copy the entire /data volume.

Restore

Restore the volume, restart the container, unseal the vault with the backup key.

Test

Test recovery annually on a test instance.

Terminal 
docker cp sslbrain:/data ./backup

Credential Rotation

Checklist: Rotation

  • Rotate service account passwords quarterly or per your organisation's policy
  • Update credential in sslbrain: Settings → Credentials → edit → new password
  • All servers using this credential automatically get the new password at the next action
  • Test: run a scan on a server to verify

Access Control

Role Who Recommendation
Admin 2-3 trusted employees Limit the number, full control over everything
Operator Team leads Can deploy, but cannot change credentials or users
Viewer Everyone who needs insight Cannot perform actions

Tip: Review user access quarterly, remove stale accounts.

Network Security

Checklist: Network

  • Only open port 8443 (HTTPS) from your local network to sslbrain
  • Allow sslbrain outbound access to cloud.sslbrain.com and acme.sslbrain.com (fixed IPs)
  • Allow sslbrain local access to your servers (SSH port 22, WinRM port 5985)
  • Do not give sslbrain access from the internet

Important: No inbound access from the internet or sslbrain Cloud to your network is necessary.