Expired SSL/TLS certificates cause immediate downtime — browsers refuse to connect, APIs return errors, and users lose trust. Despite this, certificate expiry remains one of the most common causes of preventable outages. The solution is proactive monitoring.
dargslan-cert-manager is a free Python CLI tool that monitors SSL/TLS certificates across all your servers and local files. It tracks expiry dates, audits certificate chains, identifies weak configurations, and alerts you before certificates expire.
Quick Start
pip install dargslan-cert-manager
dargslan-cert report example.com # Full certificate report
dargslan-cert check example.com google.com # Quick expiry check
dargslan-cert file -f /etc/ssl/cert.pem # Check local cert
dargslan-cert local # Find local certificates
dargslan-cert issues example.com # Audit for problems
dargslan-cert json example.com # JSON outputRemote Certificate Checking
The tool connects to any hostname on any port and retrieves the SSL/TLS certificate. It extracts subject, issuer, validity dates, serial number, fingerprint, and Subject Alternative Names (SANs). Most importantly, it calculates the exact number of days until expiry.
Bulk Certificate Monitoring
For organizations managing dozens or hundreds of domains, bulk checking is essential. Pass multiple hostnames on the command line or use the Python API to iterate over your domain inventory:
from dargslan_cert_manager import CertManager
cm = CertManager()
domains = ["dargslan.com", "api.dargslan.com", "shop.dargslan.com"]
results = cm.bulk_check(domains)
for cert in results:
if cert.get('days_until_expiry', 999) < 30:
print(f"WARNING: {cert['hostname']} expires in {cert['days_until_expiry']} days")Local Certificate Scanning
The tool scans standard certificate directories (/etc/ssl/certs, /etc/pki/tls/certs, /etc/letsencrypt/live) for .pem, .crt, and .cert files. Each found certificate is checked for expiry. This catches forgotten intermediate certificates and expired CA bundles.
Audit Functionality
The audit combines remote and local checks into a prioritized issue list:
- Critical: Certificate already expired or expiring within 7 days
- Warning: Certificate expiring within 30 days
- Critical: Cannot connect to host (network issue or TLS misconfiguration)
- Warning: Local certificate file expired
Automation with Cron
# Daily certificate check for all production domains
0 8 * * * dargslan-cert issues prod.example.com api.example.com cdn.example.com >> /var/log/cert-audit.log 2>&1
# Weekly local certificate scan
0 9 * * 1 dargslan-cert local >> /var/log/local-certs.log 2>&1Integration with Let's Encrypt
If you use Let's Encrypt for automatic certificate renewal, monitoring is still essential. Renewal failures can go unnoticed until the certificate expires. Schedule regular checks of your Let's Encrypt domains to verify renewals are happening on time.
Certificate Chain Validation
A complete certificate chain includes the server certificate, intermediate certificates, and the root CA. Missing intermediates cause validation failures on some clients (particularly older Android devices). The tool shows the issuer chain for each certificate so you can verify completeness.
Best Practices
- Monitor all production certificates daily with automated alerts
- Set up warnings at 30 days and critical alerts at 7 days before expiry
- Keep a centralized inventory of all certificates and their renewal sources
- Test certificate renewal automation regularly — do not assume it works
- Scan local certificate stores monthly for expired or unused certificates
Conclusion
Certificate expiry is preventable with proper monitoring. dargslan-cert-manager gives you comprehensive certificate visibility across remote servers and local files. Install it today and never be surprised by an expired certificate again.
For more security tools and guides, visit dargslan.com and explore our cybersecurity eBooks.
