This guide explains how Certificate Enterprise and Lite ingests certificates, determines expiry notifications, and manages certificate deletion.
Certificate Ingestion in Enterprise and Lite
Red Sift Certificate ingests and manages certificates through multiple sources:
1️⃣ Assessments (Enterprise Customers Only)
- When a new host is added, it is scheduled for an assessment, usually conducted daily (some customers have weekly or monthly assessments).
- The system connects to ports 80, 443, and 25, performs tests, DNS lookups, and generates a security report.
- During assessments, all discovered certificates (including intermediate and root certificates) are imported into the customer's account.
Certificate Lite users do not receive assessments.
2️⃣ Certificate Transparency Logs (CT Logs) & Certificate Database
- Red Sift Certificate monitors public Certificate Transparency (CT) logs to track all newly issued certificates.
- When a user adds a host, a search is triggered to find matching certificates in the Certificate Database (CRTDB).
- Any relevant certificate is imported automatically, including wildcard certificates (e.g.,
*.example.com
) and any subdomain-specific certificates. - Going forward, whenever a new cert appears in CT Logs, it is automatically imported into the user's account.
This applies to both Certificate Lite and Enterprise customers.
3️⃣ Network Scanning (Enterprise Only)
Not available for Certificate Lite users.
- Enterprise customers with Network Scanning enabled can:
✅ Scan network ranges via /settings/networkRanges.
✅ Enable hostname-based scanning via /settings/networkScanning. - Red Sift Certificate scans the top 1000 most common TCP & UDP ports and attempts to communicate using different protocols (FTP, HTTPS, IMAP, LDAP, SMTP, etc.).
- If a certificate is discovered, it is automatically imported.
4️⃣ Cloud Integrations (Enterprise Only)
? Not available for Certificate Lite users.
Certain cloud integrations extract and import certificates from connected cloud accounts.
5️⃣ API-Based Certificate Ingestion (Enterprise Only)
Not available for Certificate Lite users.
- Customers can manually upload certificates using the Red Sift Certificate API.
- API Endpoint: Create Certificate API.
Certificate Expiry Notifications
Red Sift Certificate sends expiry alerts differently for Enterprise and Certificate Lite users.
Enterprise Customers
- Red Sift Certificate checks all certificates once a day for expiry status.
- For expiring certificates, it identifies associated endpoints (e.g., LDAP server at IP
192.168.0.1
on port80
). - Red Sift Certificate actively connects to endpoints to verify whether the certificate is still installed:
✅ If the certificate is still in use, an expiry notification is sent.
✅ If the certificate has been replaced, no notification is sent.
Limitations:
- If a certificate is installed behind a firewall or load balancer, Red Sift Certificate may not always detect it.
- Some networks use Anycast, directing traffic based on the request origin, which can prevent full certificate visibility.
Certificate Lite Users
- Since Certificate Lite does not perform network scanning, it cannot detect certificate installations directly.
- Expiry checks are based only on CT Log data.
- Once a day, Red Sift Certificate checks if an expiring certificate has been superseded by a newer certificate:
✅ If a newer certificate exists, no notification is sent.
❌ If no newer certificate exists, an expiry alert is sent.
Limitations:
- If a customer renews a certificate but forgets to install it, they may still receive an expiry alert.
- The system cannot distinguish whether a certificate is installed on all necessary hosts.
- Expiration notifications may still be triggered for certificates that seem superseded if the newer certificate does not have an identical Subject Alternative Name (SAN) list. If the newer certificate includes additional SAN entries (e.g., a wildcard alongside a specific domain), it is not recognized as a direct replacement. We are actively improving this logic to reduce unnecessary notifications.
Certificate Deletion & Archiving
1️⃣ Automatic Deletion for Certificate Lite Users
Due to limited storage quotas, Red Sift Certificate automatically deletes:
✔ Duplicate certificates (e.g., pre-certificates when the actual certificate exists).
✔ Expired certificates that have been superseded by newer ones.
2️⃣ Enterprise Customer Certificate Retention
- Currently, expired certificates are not deleted, but this will change starting February 28, 2025.
- After 90 days, expired certificates will be archived if:
✅ They have not been seen on the network for at least 90 days.
This reduces unnecessary data clutter and helps organizations maintain an updated view of active certificates.
Summary of Differences Between Certificate Lite & Enterprise
Feature | Certificate Lite | Enterprise |
---|---|---|
Certificate Ingestion | CT Logs only | CT Logs + Network Scanning + Cloud Integrations + API |
Network Scanning | ❌ No | ✅ Yes |
Cloud Integrations | ❌ No | ✅ Yes |
API Access | ❌ No | ✅ Yes |
Expiry Notifications | CT Log-based only | Endpoint verification before alerting |
Certificate Deletion | Automatic cleanup of expired/superseded certs | 90-day archival process (effective Feb 28, 2025) |
Management Console | Basic interface | Fully interactive console with advanced filtering & search |
Certificate Discovery | Manual entry (limited to 250 certs) | Automated discovery across hosts, network ranges, domains & IPs |
Monitoring & Assessment | CT log-based monitoring | Continuous CT log & network scan monitoring with daily security checks |
Expiration Alerts | One-time email 7 days before expiration | Configurable notifications with critical & overdue alerts |
Integrations & Security Insights | ❌ No | Connect with AWS, GCP, Azure for automated certificate management, Detailed issuance history and deployment tracking and Endpoint classification & security analysis |
DNS monitoring & port scanning | ❌ No | DNS monitoring & port scanning for detecting unauthorized certificates |
Choosing the Right Tier
Red Sift Certificates Lite is ideal for individuals, hobbyists, and small businesses needing basic certificate expiry tracking (up to 250 certificates).
Red Sift Certificates Enterprise is designed for businesses requiring full automation, security insights, and enterprise-scale certificate management.