Skip to main content

What Are Certificate Monitors?

A Certificate Monitor is a configured endpoint that Generator Labs continuously checks for TLS/SSL certificate validity and expiration. Each monitor represents a specific service or server that uses certificates for secure communication.

When you create a monitor, you specify a hostname or IP address, a protocol that defines how the TLS/SSL connection is established, a profile that determines validation rules and alert thresholds, and contact groups to notify when issues are detected. The system regularly connects to your service, retrieves the certificate chain, validates it, and alerts you of any issues.

Supported Protocols

Generator Labs supports certificate monitoring for the following protocols:

Web Services

  • HTTPS (port 443)

Email Services

  • SMTPS (port 465)
  • SMTP + STARTTLS (port 25)
  • IMAPS (port 993)
  • IMAP + STARTTLS (port 143)
  • POPS (port 995)
  • POP + STARTTLS (port 110)
  • LMTP + STARTTLS (port 24)

File Transfer

  • FTPS (port 990)
  • FTP + STARTTLS (port 21)

Directory Services

  • LDAPS (port 636)
  • LDAP + STARTTLS (port 389)

Database Services

  • MySQL (port 3306)
  • PostgreSQL (port 5432)

Voice/SIP

  • SIPS (port 5061)

STARTTLS vs Implicit TLS

Services with implicit TLS like HTTPS and SMTPS establish an encrypted connection immediately upon connecting. Services using STARTTLS like SMTP on port 25 begin with an unencrypted connection, then issue the STARTTLS command to upgrade to TLS/SSL before retrieving and validating the certificate. This approach provides backward compatibility with older clients that don't support encryption.

Hostname Configuration

Monitors support DNS hostnames like mail.example.com where the system performs A and AAAA record lookups and monitors each IP address returned, making it ideal for load-balanced services. You can also directly specify IPv4 addresses like 192.168.1.100 or IPv6 addresses like 2001:db8::1.

Override the default port by appending a colon and port number, for example mail.example.com:2500 for SMTP on a custom port, 192.168.1.50:8443 for HTTPS on port 8443, or ldap.example.com:10636 for LDAPS on a custom port.

Monitor Management

Each monitor tracks its status, days until certificate expiration, detailed certificate chain analysis, a unique system identifier (SID), and optional tags for organizing and filtering. Monitors run checks on a regular schedule, send alerts to configured contact groups when issues arise, and update status in real-time as certificates expire or are renewed.

Use descriptive display names that identify the service purpose, environment, and location. Apply tags to group related monitors and select the appropriate profile for your service type. Adjust alert thresholds based on your certificate renewal lead times.