FAQ Page
General
What is Red Sift Certificates Lite?
Certificates Lite acts as your assurance layer, offering visibility and alerts when automation falls short.Get visibility, maintain oversight, avoid downtime and cut expenses by monitoring and alerting on certificates registered against your domain.
What does Certificates Lite do?
Certificates Lite monitors the issuance of public certificates and notifies you if it notices if a previously issued certificate was not renewed.
Will Certificates Lite monitor & notify me regarding deployed certificates?
No, Certificates Lite does not monitor where certificates are deployed. Monitoring where certificates are deployed is part of the paid upgrade, Certificates Enterprise.
This means Certificates Lite will only notify you if we notice a certificate has not been renewed. To be notified if we notice an endpoint has not had updated certificates deployed you would need Certificates Enterprise.
Why should I use a certificate expiry notification tool?
Expired certificates can lead to service disruptions, security risks, and non-compliance with regulatory standards.
Does Red Sift Certificates only find Let’s Encrypt certificates?
Red Sift Certificates is issuer-agnostic.
Is there a limit on what I can monitor?
Certificates Lite lets you monitor up to 250 certificates over an unlimited amount of hosts.
What sort of certificate types do you monitor?
SSL/TLS certificates.
Where do you collect your certification information data?
All information is gathered via the CT (Certificate Transparency) logs publicly available on the CCADB. More information on how Red Sift Certificates acquires certificate data can be found here.
Why don’t I need to verify my domain?
Our decision not to include domain verification in Red Sift Certificates Lite is intentional and is because we use publicly available data from Certificate Transparency (CT) logs to collect certificate data. As we continue to expand Red Sift Certificates Lite's capabilities, we plan to introduce additional controls, including verification features, to enhance security and further reduce the risk of abuse.
Why may I see a Certificate Expiry when the certificate is renewed?
Currently, the Expiring Certificates section displays all certificates identified during the initial scan, including those that have been superseded by newer certificates. This is why you may see an older certificate listed at the top, while the valid certificate with a later expiration date appears further down the list or on another page.
The good news is that from an expiration notification standpoint, superseded certificates are excluded from automated email alerts.
Can Certificates automatically add and remove certificate monitoring endpoints from our account?
Endpoint monitoring where certificates are found installed is a feature that is available in Certificates Enterprise. More information about that can be found here: https://redsift.com/pulse-platform/certificates.
I received a certificate expiry notification email, but I have already renewed the certificate. Why is this happening?
If you have renewed the certificate but on a different host, the system will still send an expiry notification for the old certificate. This happens because the original certificate remains in the system until it fully expires.
- If a replacement certificate is detected more than 7 days before the original certificate's expiration, no notification is sent for the expiring certificate.
Since a valid replacement was found, no alert was triggered for the original certificate.
Does Red Sift Certificates support IDN (Internationalized domain name) domains?
Yes, Red Sift Certificates will automatically detect that the domain is an IDN and convert accordingly while searching for certificates.
Does Red Sift Certificates Lite support any API access?
Not at present.
How do I delete certificates from the platform?
Certificates are automatically removed from the Certificate platform after 3 days if they cease to be relevant. This time may be reduced in a future update. Certificates cease to be relevant if the domain or host is removed from the platform.
How frequently does Red Sift Certs Lite verify the validity of public certificates?
Red Sift Certificate Lite checks public certificates once per day to determine if they are valid or expired. The update process begins daily at 13:20 UTC.
Does Certificate Lite discover Certificates from custom ports?
Certificate Lite is not port or service aware, whereas Certificate Enterprise is. In Certificate Enterprise, our daily assessments automatically detect certificates on ports 443 and 25. For other ports, certificates are identified through our Network Scanning process, which scans: The top 1000 most commonly used TCP ports and The top 1000 most commonly used UDP ports.
Can Certificates Lite detect certificates deployed behind a Firewall?
Certificates can only detect Certificates deployed behind firewalls by using Integrations. Integrations are only available in the Enterprise edition of Certificates.
- Do all certificates count towards my 250 certificate limit?
- No, only active certificates (current date is between the certificate's start and expiry date, regardless of installation or deployment) count towards the limit. Expired, Superseded or revoked certificates do not count towards the 250 limit.
Domains
Can I upload domains in bulk?
Yes, you will be able to upload all of your domains using a simple CSV bulk upload process. This can be found on the hosts under the add domains multi select button.
Can I add any host, IP address or network range?
Certificates Lite allows you to add domains or subdomains. For certificate discovery across your entire digital infrastructure—including network assets, cloud platforms, DNS providers, Certificate Authorities, and registrars—explore Red Sift Certificates Enterprise.
Do I need to add subdomains (domain.com and mail.domain.com)?
No, Red Sift Certificates will detect relevant certificates automatically.
Notifications
How does the tool notify me of an expiring certificate?
Expiry notifications will be sent via email.
Can I customize my notification frequency?
No, Certificates Lite is limited to one email alert 7 days before expiry
What should I do if I'm not getting notifications?
Please check that you have correctly entered your email address on the notifications page and that the emails are not in your spam folder.
Why am I receiving expiration notifications for certificates that appear to be superseded by the issuance of newer certificates?
Our system currently considers a certificate superseded only if its Subject Alternative Name (SAN) list exactly matches a newer certificate. If a newer certificate includes additional SAN entries, such as a wildcard alongside a specific domain, it is not recognized as a direct replacement for the older certificate. As a result, expiration notifications may still be triggered for the original certificate. We are actively improving this logic to prevent notifications for certificates that have been effectively replaced or superseded.