Certificates Ingestion & Expiry Alerts - User Guide

Created by Yves Lacombe, Modified on Mon, 26 May at 11:56 AM by Yves Lacombe

This guide explains how Certificate Enterprise and Lite ingests certificates, determines expiry notifications, and manages certificate deletion.

 


Certificate Ingestion in Enterprise and Lite

Red Sift Certificate ingests and manages certificates through multiple sources:

1️⃣ Assessments (Enterprise Customers Only)

  • When a new host is added, it is scheduled for an assessment, usually conducted daily (some customers have weekly or monthly assessments).
  • The system connects to ports 80, 443, and 25, performs tests, DNS lookups, and generates a security report.
  • During assessments, all discovered certificates (including intermediate and root certificates) are imported into the customer's account.

Certificate Lite users do not receive assessments.


2️⃣ Certificate Transparency Logs (CT Logs) & Certificate Database

  • Red Sift Certificate monitors public Certificate Transparency (CT) logs to track all newly issued certificates.
  • When a user adds a host, a search is triggered to find matching certificates in the Certificate Database (CRTDB).
  • Any relevant certificate is imported automatically, including wildcard certificates (e.g., *.example.com) and any subdomain-specific certificates.
  • Going forward, whenever a new cert appears in CT Logs, it is automatically imported into the user's account.

This applies to both Certificate Lite and Enterprise customers.


3️⃣ Network Scanning (Enterprise Only)

Not available for Certificate Lite users.

  • Enterprise customers with Network Scanning enabled can:
    ✅ Scan network ranges via /settings/networkRanges.
    ✅ Enable hostname-based scanning via /settings/networkScanning.
  • Red Sift Certificate scans the top 1000 most common TCP & UDP ports and attempts to communicate using different protocols (FTP, HTTPS, IMAP, LDAP, SMTP, etc.).
  • If a certificate is discovered, it is automatically imported.

4️⃣ Cloud Integrations (Enterprise Only)

? Not available for Certificate Lite users.

Certain cloud integrations extract and import certificates from connected cloud accounts.


5️⃣ API-Based Certificate Ingestion (Enterprise Only)

Not available for Certificate Lite users.

  • Customers can manually upload certificates using the Red Sift Certificate API.
  • API Endpoint: Create Certificate API.

Certificate Expiry Notifications

Red Sift Certificate sends expiry alerts differently for Enterprise and Certificate Lite users.

Enterprise Customers

  • Red Sift Certificate checks all certificates once a day for expiry status.
  • For expiring certificates, it identifies associated endpoints (e.g., LDAP server at IP 192.168.0.1 on port 80).
  • Red Sift Certificate actively connects to endpoints to verify whether the certificate is still installed:
    ✅ If the certificate is still in use, an expiry notification is sent.
    ✅ If the certificate has been replaced, no notification is sent.

Limitations:

  • If a certificate is installed behind a firewall or load balancer, Red Sift Certificate may not always detect it.
  • Some networks use Anycast, directing traffic based on the request origin, which can prevent full certificate visibility.

 

Certificate Lite Users

  • Since Certificate Lite does not perform network scanning, it cannot detect certificate installations directly.
  • Expiry checks are based only on CT Log data.
  • Once a day, Red Sift Certificate checks if an expiring certificate has been superseded by a newer certificate:
    ✅ If a newer certificate exists, no notification is sent.
    ❌ If no newer certificate exists, an expiry alert is sent.

Limitations:

  • If a customer renews a certificate but forgets to install it, they may still receive an expiry alert.
  • The system cannot distinguish whether a certificate is installed on all necessary hosts.
  • Expiration notifications may still be triggered for certificates that seem superseded if the newer certificate does not have an identical Subject Alternative Name (SAN) list. If the newer certificate includes additional SAN entries (e.g., a wildcard alongside a specific domain), it is not recognized as a direct replacement. We are actively improving this logic to reduce unnecessary notifications.

Certificate Deletion & Archiving

1️⃣ Automatic Deletion for Certificate Lite Users

Due to limited storage quotas, Red Sift Certificate automatically deletes:
Duplicate certificates (e.g., pre-certificates when the actual certificate exists).
Expired certificates that have been superseded by newer ones.

2️⃣ Enterprise Customer Certificate Retention

  • Currently, expired certificates are not deleted, but this will change starting February 28, 2025.
  • After 90 days, expired certificates will be archived if:
    ✅ They have not been seen on the network for at least 90 days.

This reduces unnecessary data clutter and helps organizations maintain an updated view of active certificates.


Summary of Differences Between Certificate Lite & Enterprise

FeatureCertificate LiteEnterprise
Certificate IngestionCT Logs onlyCT Logs + Network Scanning + Cloud Integrations + API
Network Scanning❌ No✅ Yes
Cloud Integrations❌ No✅ Yes
API Access❌ No✅ Yes
Expiry NotificationsCT Log-based onlyEndpoint verification before alerting
Certificate DeletionAutomatic cleanup of expired/superseded certs90-day archival process (effective Feb 28, 2025)
Management ConsoleBasic interfaceFully interactive console with advanced filtering & search
Certificate DiscoveryManual entry (limited to 250 certs)Automated discovery across hosts, network ranges, domains & IPs
Monitoring & AssessmentCT log-based monitoringContinuous CT log & network scan monitoring with daily security checks
Expiration AlertsOne-time email 7 days before expirationConfigurable notifications with critical & overdue alerts
Integrations & Security Insights❌ NoConnect with AWS, GCP, Azure for automated certificate management, Detailed issuance history and deployment tracking and Endpoint classification & security analysis
DNS monitoring & port scanning❌ NoDNS monitoring & port scanning for detecting unauthorized certificates

Choosing the Right Tier


Red Sift Certificates Lite is ideal for individuals, hobbyists, and small businesses needing basic certificate expiry tracking (up to 250 certificates).

 

Red Sift Certificates Enterprise is designed for businesses requiring full automation, security insights, and enterprise-scale certificate management.