Monitoring
sslbrain monitors all certificates in your environment and sends alerts before they expire. Monitoring works regardless of whether the certificate was issued via sslbrain or found via discovery.
Expiry Alerts
sslbrain checks all known certificates daily and sends alerts at configured thresholds.
Default thresholds
| Days to expiry | Level | Action |
|---|---|---|
| 30 days | Info | Automatic renewal starts (if configured) |
| 14 days | Warning | Notification sent |
| 7 days | Critical | Repeated notifications |
| Expired | Alarm | Immediate notification |
Thresholds can be customised under Settings > Notifications > Expiry Alerts. You can add more thresholds or modify existing ones.
Exceptions
Certificates set to automatic renewal only send notifications if the renewal fails. There is no reason to warn about a certificate that is already being renewed.
You can also mute alerts for specific certificates, e.g. certificates on test environments.
Notifications
sslbrain supports multiple notification channels. You can configure which events trigger notifications on each channel.
| Channel | Configuration |
|---|---|
| SMTP server, sender, recipients (comma-separated) | |
| Slack | Webhook URL for Slack channel |
| Microsoft Teams | Webhook URL for Teams channel |
| Webhook | Custom HTTP endpoint (JSON payload) |
Events
The following events can trigger notifications:
- Certificate approaching expiry (at the configured thresholds)
- Certificate renewed
- Deployment completed or failed
- New certificate found via discovery
- Scan failed (endpoint unreachable)
- Vault sealed
Configuration
- Go to Settings > Notifications
- Add a channel (email, Slack, Teams or webhook)
- Select which events should trigger notifications
- Click Test to verify that the channel works
- Click Save
Tip: Set up at least email notifications during installation. This ensures you are alerted about critical events even if you do not log into sslbrain daily.
Scan Monitoring
sslbrain tracks whether scheduled endpoint scans are running correctly. If a scan fails, the cause is recorded.
Failure types
| Failure | Possible cause |
|---|---|
| Connection refused | Endpoint is down, firewall blocking, wrong port |
| Timeout | Endpoint not responding within the time limit |
| Authentication failed | Expired or incorrect credentials |
| TLS handshake failed | Endpoint not running TLS on the scanned port |
Endpoints with repeated scan failures are flagged on the dashboard so you can quickly identify problems.
Dashboard
The dashboard provides a unified view of all certificates and endpoints in your environment.
Certificate status
Count of valid, expiring soon and expired certificates. Broken down by CA and validation type.
Endpoint status
Count of endpoints online, offline and with errors. Last scan date per endpoint.
Recent activity
Renewals, deployments and scans in the last 7 days.
Expiry timeline
Timeline showing when each certificate expires over the next 90 days.
The dashboard updates automatically. Click any element to navigate directly to the certificate or endpoint.