Endpoints

What is an endpoint?

An endpoint is a server or device that sslbrain manages certificates on. The count is per physical or virtual server, not per certificate or service.

Windows server

IIS with three websites, Exchange and RDP = 1 endpoint

Linux server

Nginx, Apache and five vhosts = 1 endpoint

FortiGate

VPN, admin interface and SSL inspection = 1 endpoint

It is the server or device that is counted, not what runs on it. You can have many certificates and services on the same endpoint at no extra cost.

Add Windows Server (Service Agent)

Service Agent is the recommended method for Windows servers. The agent requires no open inbound ports. It calls out to sslbrain via HTTPS on its own.

Setup

  1. Go to Downloads in sslbrain and download Windows Agent (.msi)
  2. Copy the MSI file to the Windows server
  3. Run the installation: next, next, finish
  4. The agent starts automatically as a Windows Service

System requirements: Windows Server 2016 or later / Windows 10 version 1607 or later. The agent is self-contained and does not require a pre-installed .NET runtime.

Within approximately 1 minute, the server appears under Endpoints with status "Online". No further configuration is needed.

What the agent finds

The agent scans the server and reports:

Service What is discovered
IIS All sites and their bindings (HTTP and HTTPS)
Exchange OWA, SMTP, IMAP, POP3
RDP Remote Desktop certificates
ADFS Active Directory Federation Services
SQL Server TLS configuration on SQL instances

Everything is displayed under the endpoint's Services tab.

Why agent over WinRM?

No inbound ports required

The agent uses outbound HTTPS. No inbound ports required.

No WinRM configuration

Install and run. No further setup required.

Works behind NAT

Works behind NAT and firewalls without port forwarding.

Automatic updates

The agent updates itself automatically via sslbrain Cloud.

The only prerequisite is that the server can reach sslbrain on port 8443 (or the port you have configured). See Access for detailed Windows Service configuration.

Add Linux Server (SSH)

SSH is the standard method for Linux servers. sslbrain connects via SSH and automatically discovers web server configurations.

Setup

  1. Click Endpoints > Add endpoint
  2. Select Linux (SSH)
  3. Fill in:
    • Hostname/IP
    • SSH port (default: 22)
    • Credentials (see Access)
  4. Click Test connection

A green checkmark means sslbrain can reach the server and log in. Click Save to add the endpoint.

What sslbrain discovers

After adding, sslbrain scans the server and automatically finds:

  • Nginx: all server blocks with listen 443 or ssl_certificate directives
  • Apache: all VirtualHost configurations with SSL enabled
  • Existing certificates: certificates already installed, with expiry date and chain validation

The results are displayed under the endpoint's Services tab within a few seconds.

Add Network Device

sslbrain supports network devices that do not run a standard OS. The connection method depends on the device.

FortiGate

FortiGate firewalls are managed via SSH CLI.

  1. Click Endpoints > Add endpoint
  2. Select Network device > FortiGate
  3. Fill in hostname/IP, SSH port (default 22) and admin credentials
  4. Click Test connection

sslbrain finds certificates used for VPN, admin interface and SSL inspection.

NetScaler (Citrix ADC)

NetScaler is managed via REST API (NITRO).

  1. Click Endpoints > Add endpoint
  2. Select Network device > NetScaler
  3. Fill in:
    • Hostname/IP
    • Port (typically 443)
    • API credentials (username and password for NITRO API)
  4. Click Test connection

sslbrain finds all SSL vServers and their certificate bindings.

Note: Network devices require admin credentials with sufficient privileges to read and write certificate configuration. See Credentials for creating dedicated service accounts.