Servers and endpoints

What is a endpoint?

A endpoint is a server or device that sslbrain manages certificates on. The count is per physical or virtual server, not per certificate or service.

Windows server

IIS with three websites, Exchange and RDP = 1 endpoint

Linux server

Nginx, Apache and five vhosts = 1 endpoint

FortiGate

VPN, admin interface and SSL inspection = 1 endpoint

It is the server or device that is counted, not what runs on it. You can have many certificates and services on the same endpoint at no extra cost.

Add Windows Server (Service Agent)

Service Agent is the recommended method for Windows servers. The agent requires no open inbound ports, it calls out to sslbrain via HTTPS on its own.

Setup

  1. Go to Downloads in sslbrain and download Windows Agent (.msi)
  2. Copy the MSI file to the Windows server
  3. Run the installation, standard Windows installation: next, next, finish
  4. The agent starts automatically as a Windows Service

Within approximately 1 minute, the server appears under Servers with status "Online". No further configuration is needed.

System requirements: Windows Server 2016 or later / Windows 10 version 1607 or later. The agent is self-contained and does not require a pre-installed .NET runtime.

What the agent finds

The agent scans the server and reports:

Service What is discovered
IIS All sites and their bindings (HTTP and HTTPS)
Exchange OWA, SMTP, IMAP, POP3
RDP Remote Desktop certificates
ADFS Active Directory Federation Services
SQL Server TLS configuration on SQL instances

Everything is displayed under the server's Services tab.

Why agent over WinRM?

No inbound ports required

The agent uses outbound HTTPS. No inbound ports required.

No WinRM configuration

Install and run. No further setup required.

Works behind NAT

Works behind NAT and firewalls without port forwarding.

Automatic updates

The agent updates itself automatically via sslbrain Cloud.

The only prerequisite is that the server can reach sslbrain on port 8443 (or the port you have configured).

WinRM (alternative)

Use WinRM if you cannot or prefer not to install the agent. WinRM is Windows' built-in remote management protocol.

Prerequisites

WinRM must be enabled on the server. Run this in an administrative PowerShell:

PowerShell 
winrm quickconfig

Ensure one of these ports is open in the firewall:

Port 5985

WinRM over HTTP (encrypted via NTLM/Kerberos)

Port 5986 (recommended)

WinRM over HTTPS (requires a certificate on the WinRM endpoint)

Tip: Port 5986 is recommended in production environments.

Setup in sslbrain

  1. Click Servers > Add server
  2. Select Windows (WinRM)
  3. Fill in:
    • Hostname/IP: the server's FQDN or IP address
    • Port: 5985 or 5986
    • Credentials: domain user or local administrator
  4. Click Test connection
  5. Click Save

sslbrain finds the same services as the agent (IIS, Exchange, RDP, ADFS, SQL).

Add Linux Server (SSH)

SSH is the standard method for Linux servers. sslbrain connects via SSH and automatically discovers web server configurations.

Setup

  1. Click Servers > Add server
  2. Select Linux (SSH)
  3. Fill in:
    • Hostname/IP: the server's FQDN or IP address
    • SSH port: default is 22. Only change if you use a different port
    • Credentials: select an existing credential or create a new one (see the credentials section)
  4. Click Test connection

A green checkmark means sslbrain can reach the server and log in. Click Save to add the server.

What sslbrain discovers

After adding, sslbrain scans the server and automatically finds:

  • Nginx: all server blocks with listen 443 or ssl_certificate directives
  • Apache: all VirtualHost configurations with SSL enabled
  • Existing certificates: certificates already installed, with expiry date and chain validation

The results are displayed under the server's Services tab within a few seconds.

Requirements for the SSH user

Requirement Description
Read configuration Access to read web server configuration files (typically /etc/nginx/ and /etc/apache2/ or /etc/httpd/)
Write certificates Access to write certificate files and reload the web server (for deployment)
Sudo (optional) sudo privileges are recommended but not required if file permissions allow it

Tip: See the section on service accounts for recommendations on SSH users.

Add Network Device

sslbrain supports network devices that do not run a standard OS. The connection method depends on the device.

FortiGate

FortiGate firewalls are managed via SSH CLI.

  1. Click Servers > Add server
  2. Select Network device > FortiGate
  3. Fill in hostname/IP, SSH port (default 22) and admin credentials
  4. Click Test connection

sslbrain finds certificates used for VPN, admin interface and SSL inspection.

NetScaler (Citrix ADC)

NetScaler is managed via REST API (NITRO).

  1. Click Servers > Add server
  2. Select Network device > NetScaler
  3. Fill in:
    • Hostname/IP: NetScaler's management IP
    • Port: typically 443
    • API credentials: username and password for NITRO API
  4. Click Test connection

sslbrain finds all SSL vServers and their certificate bindings.

Note: Network devices require admin credentials with sufficient privileges to read and write certificate configuration. Create a dedicated user with minimal privileges, see the section on service accounts.

Discovery

When you add a server, sslbrain automatically runs a scan. You can also run a scan manually from the server's overview page.

Scanning finds:

What Description
Services All services using TLS certificates
Certificates Expiry date, chain and configuration
TLS configuration TLS versions and cipher suites in use
Issues Expired certificates, incomplete chains, weak ciphers

Results are displayed under the server's Services tab with a status indicator per service.

Tip: Scanning runs automatically at regular intervals (configurable under Settings > Scanning). You normally don't need to run it manually after the first time.

Credentials

Credentials are stored encrypted in sslbrain's vault and can be reused across servers.

Types

Type Used for Fields
SSH password Linux servers Username + password
SSH key Linux servers Username + private key (+ passphrase if applicable)
Domain user Windows WinRM Domain\username + password
Local user Windows WinRM Username + password
API token Network devices Token or username + password

Create a credential

  1. Go to Settings > Credentials
  2. Click New credential
  3. Select the type, enter a descriptive name (e.g. "Linux service account" or "FortiGate admin") and fill in the fields
  4. Click Save

Tip: You can also create credentials directly when adding a server, click New credential in the credential dropdown.

Security

  • Credentials are encrypted with AES-256 in sslbrain's vault
  • Private SSH keys are never stored in plaintext
  • Credentials can only be used by sslbrain, they cannot be retrieved via the UI or API
  • Delete a credential under Settings > Credentials if it is no longer in use

Best practice for service accounts

Note: Create dedicated service accounts for sslbrain rather than using personal admin accounts. Grant only the permissions that sslbrain needs.

Linux

Create a user for sslbrain:

Terminal 
sudo useradd -r -m -s /bin/bash sslbrain-svc

Grant access to read web server configuration and write certificate files:

Terminal 
# Read Nginx/Apache configuration
sudo usermod -aG www-data sslbrain-svc

# Reload web server (add to sudoers)
echo "sslbrain-svc ALL=(root) NOPASSWD: /usr/sbin/nginx -s reload, /usr/sbin/apachectl graceful" \
  | sudo tee /etc/sudoers.d/sslbrain-svc

Use an SSH key instead of a password. Generate a key pair and upload the public key to the server.

Windows

Create a dedicated service account in Active Directory (or locally) with these permissions:

  • IIS: Membership of the "IIS Admins" group or an equivalent custom group with permissions to manage bindings and certificates
  • Certificate store: Read and write access to "Local Machine\WebHosting" and "Local Machine\My"
  • Exchange: The "Server Management" role in Exchange
  • WinRM: Membership of the "Remote Management Users" group

Note: Never use a Domain Admin account as an sslbrain credential. If the account is compromised, minimal permissions limit the damage.

Network devices

Create a dedicated admin user with only the permissions necessary for certificate management:

  • FortiGate: Create an admin profile with access to "VPN" and "System" → "Certificates". No access to firewall rules or routing.
  • NetScaler: Create a user with sslCertKey privileges via a custom command policy.

Tip: Document which credentials are used for which servers, and rotate passwords/keys regularly.