Self-hosted certificate monitoring

Know Before Your SSL Certificates Expire

CertWatch runs inside your network, watches the certs you care about, and sends alerts while you still have time to renew — not after customers call.

  • Deploy once on a small VM, Pi, or appliance — data stays on your side
  • Scan internal ranges and public names from one dashboard
  • Email alerts with warning and critical thresholds you control
  • Docker-based; no SaaS lock-in, no per-certificate tax
See how it works

Three steps. No certificate roulette.

CertWatch is built for operators who already run Docker and do not want another cloud dashboard holding their inventory hostage.

Step 01

Deploy the agent

Install the CertWatch container on a VM, Raspberry Pi, Odroid, or any small x86 box on your LAN. HTTPS dashboard on your network; your data never leaves the host unless you choose to export it.

Step 02

Define what to watch

Add domains manually, paste PEM certs for offline assets, or run network discovery — auto-detect local subnets, IP ranges, or DNS zones to find TLS services you forgot were there.

Step 03

Get alerts that matter

SMTP alerts at warning and critical thresholds, MSP-style early warnings at 60 and 30 days, monthly status reports, and per-domain test sends so you know email works before expiry day.

Built for people who actually run the network

MSPs and service providers

Drop a CertWatch instance per client site (or per segment), white-label the experience, and stop finding out about expired certs from the help desk.

  • Per-site self-hosted agents
  • MSP notification paths for early renewal
  • Central management console (roadmap) for portfolio view

Internal IT and platform teams

Monitor internal apps, dev/staging hosts, and appliances that never made it into your public CA workflow — without opening firewall holes to a SaaS scanner.

  • LAN and DNS-based discovery
  • Self-signed and internal CA detection
  • No outbound dependency except SMTP and cert checks

What you get on day one

CertWatch is the product name for a mature monitoring stack — network scanning, alerting, and a operator-first UI, not a weekend script with a login form.

Monitoring

Automatic expiry tracking

Scheduled checks, issuer and SAN visibility, days-remaining at a glance, manual check-now when you need it.

Discovery

Network scanning

Auto-detect local networks, CIDR/range scans, and DNS zone queries with live progress — find TLS before it becomes a ticket.

Alerts

Email notifications

Warning and critical thresholds, test sends, monthly reports, and MSP early-warning paths — Office 365 and Gmail presets supported.

Deploy

Self-hosted Docker

Single-container deploy, persistent volume for config and history, restart on boot. You control updates and backups.

Security

HTTPS dashboard

Password-protected UI, setup wizard, optional custom TLS for internal hostnames and IPs — no blind trust in random SaaS dashboards.

MSP

White-label ready

Run under your brand per client. CertWatch is the public name; your clients see your deployment, your alerts, your relationship.

Ops

Paste and upload certs

Monitor certificates on air-gapped or non-routable systems by pasting PEM — no live TLS required for inventory.

UI

Operator dashboard

Light, dark, and system themes. Expandable cert details, renewal hints for major CAs, domain add/remove without SSH.

Roadmap

Central console

Aggregate many CertWatch agents into one management view — built for MSPs scaling past one dashboard per site.

Coming next: pricing tiers and central management

Waitlist members get pricing preview and beta access to the multi-site console.

Runs on hardware you already stock

If it runs Linux and Docker, it can run CertWatch. Low power, low noise, LAN-local.

Raspberry Pi 4/5 Odroid Intel NUC Proxmox LXC Small form-factor PC VM (2 GB RAM+)

Simple plans — details coming soon

TBD

We are finalizing per-site and MSP bundle pricing. Join the waitlist for early-access pricing and pilot terms — no commitment required.

Join waitlist for pricing