CertPulse Documentation

CertPulse is a certificate monitoring platform for DevOps and platform engineering teams. It continuously monitors TLS certificates across your external endpoints, AWS ACM, Azure Key Vault, and GCP Certificate Manager — giving you a single dashboard for every certificate in your infrastructure.

Get up and running in under five minutes:

1. 1
   Create an account — Sign up at certpulse.dev/sign-up. No credit card required for the free tier.
2. 2
   Add your first endpoint — Enter a hostname (e.g. api.example.com). CertPulse will immediately scan it and display TLS details, certificate chain, and expiry information.
3. 3
   Review your dashboard — See certificate health, expiry timeline, and scan results at a glance. Certificates expiring within 30 days are flagged automatically.
4. 4
   Connect cloud accounts — Link your AWS, Azure, or GCP accounts to import managed certificates. See the Cloud Integrations section below for provider-specific setup.
5. 5
   Set up alerts — Configure email, Slack, Discord, PagerDuty, MS Teams, or webhook notifications for expiry warnings, new certificate discoveries, and configuration issues.

External endpoint monitoring connects to your publicly-accessible TLS endpoints and inspects the full certificate chain. This works for any host reachable over the internet — web servers, API gateways, load balancers, mail servers, or anything else serving TLS.

Adding endpoints

Navigate to Endpoints in the dashboard and click Add Endpoint. Enter the hostname and optional port (defaults to 443). CertPulse validates the hostname and queues an immediate scan.

What gets checked

Each scan inspects:

• TLS version — confirms TLS 1.2 or 1.3 is negotiated
• Cipher suite — identifies the negotiated cipher and flags weak algorithms
• Certificate chain validity — verifies the full chain from leaf to root CA
• OCSP status — checks revocation status via OCSP stapling or responder query
• Expiry date — tracks days until expiration with configurable alert thresholds
• Subject / SANs — records all subject alternative names on the certificate

Scan frequencies by plan

Scan frequency depends on your plan tier:

Multi-region scanning

Scans originate from up to 3 global regions depending on your plan. Multi-region scanning catches CDN misconfigurations and geographic certificate differences that single-point monitors miss.

Each scan result records which region it originated from. In the dashboard, the scan history table shows the check location as a human-readable region name (e.g., “US East”, “Europe”, “Asia Pacific”).

Connect your cloud provider accounts to automatically discover and monitor managed certificates. CertPulse uses read-only access to import certificate metadata — it never modifies your infrastructure.

AWS ACM

CertPulse integrates with AWS Certificate Manager (ACM) using cross-account IAM role assumption. This means CertPulse never stores your AWS credentials — it assumes a role in your account with minimal read-only permissions.

Prerequisites

• An AWS account with ACM certificates to monitor
• Permission to deploy a CloudFormation stack (creates an IAM role)

Setup

1. 1
   Deploy the CloudFormation template — From the CertPulse dashboard, navigate to Cloud Accounts > Add AWS Account. Click the "Launch Stack" button to deploy our CloudFormation template. This creates an IAM role with acm:ListCertificates and acm:DescribeCertificate permissions.
2. 2
   Copy the Role ARN — After the stack deploys, copy the Role ARN from the CloudFormation outputs tab.
3. 3
   Enter credentials in CertPulse — Paste the Role ARN into the CertPulse form. The External ID is pre-filled and unique to your organization — it prevents confused deputy attacks.

What gets synced

CertPulse syncs all ACM certificates across all enabled AWS regions in the account. This includes both issued certificates and imported certificates, along with their status, domain names, expiry dates, and associated resources.

Azure Key Vault

CertPulse reads certificates from Azure Key Vault using a Service Principal with minimal permissions.

Prerequisites

• An Azure Active Directory Service Principal (App Registration)
• The Service Principal needs Reader role on the subscription or resource group
• Key Vault access policy or RBAC granting Certificate List and Certificate Get permissions

Scope options

You can connect CertPulse at two levels:

• Single subscription — monitors all Key Vaults within one Azure subscription
• Management group level — monitors Key Vaults across all subscriptions in a management group, useful for enterprise-scale Azure environments

What gets synced

CertPulse discovers all Key Vaults accessible to the Service Principal, enumerates their certificates, and imports metadata including subject, SANs, expiry date, issuer, and key type. Certificate private keys are never accessed or transferred.

GCP Certificate Manager

CertPulse integrates with GCP Certificate Manager using a Service Account with viewer-level access.

Prerequisites

• A GCP Service Account with a JSON key file
• The roles/certificatemanager.viewer role granted on the project or organization

Scope options

You can connect at two levels:

• Single project — monitors all certificates in one GCP project
• Organization level — monitors certificates across all projects in your GCP organization

What gets synced

CertPulse imports all certificates from GCP Certificate Manager including managed and self-managed certificates, their domain mappings, expiry dates, and provisioning status.

Certificate Transparency (CT) monitoring watches public CT logs for any certificates issued for your domains. This helps you detect unauthorized or unexpected certificate issuance — including shadow certificates, phishing domains, and mis-issued certs.

How it works

CertPulse uses a dual-source approach for CT monitoring:

• CertStream — real-time feed of newly issued certificates from CT logs. Provides near-instant detection of new certificates for your watched domains.
• crt.sh fallback — periodic queries to the crt.sh database for historical and catch-up data. Ensures no certificates are missed if the real-time feed has gaps.

Adding watched domains

Navigate to CT Monitoring in the dashboard and add domains you want to watch (e.g., example.com). CertPulse will monitor for certificates issued to the exact domain and all subdomains.

What “untracked” means

When a certificate appears in CT logs for one of your watched domains but doesn't match any certificate in your CertPulse inventory (neither an external endpoint nor a cloud-managed cert), it is marked as untracked. This could indicate:

• A certificate issued by a team or service you haven't connected yet
• A legitimate certificate from a CDN or third-party service
• A potentially unauthorized or shadow certificate that needs investigation

Shadow certificate detection

Shadow certificates are TLS certificates issued for your domains without your knowledge or authorization. CertPulse flags CT log entries that don't match any known certificate in your inventory and alerts you so you can investigate. Common causes include compromised domain validation, unauthorized subdomain delegation, or forgotten services still issuing certificates.

CertPulse alerts notify you of certificate issues before they become outages. Configure rules to match your operational needs.

Creating alert rules

Navigate to Alerts in the dashboard and click Create Rule. Each rule specifies:

• Condition — what triggers the alert (expiry threshold, chain error, new CT discovery, etc.)
• Scope — which certificates or endpoints the rule applies to (all, specific tags, or individual certs)
• Channel — where to send the notification

Channel types

Expiry thresholds

Configure when you want to be notified before a certificate expires. Common thresholds are 90, 60, 30, 14, and 7 days. You can create multiple rules with different thresholds and channels — for example, email at 30 days, Slack at 14 days, and PagerDuty at 7 days.

Test notifications

Each alert rule has a Test button that sends a sample notification to the configured channel. Use this to verify your webhook URLs and channel configuration before relying on them for production alerts.

Deduplication and auto-resolve

CertPulse deduplicates alerts so you don't receive repeated notifications for the same issue. Once the underlying issue is resolved (e.g., a certificate is renewed), the alert is automatically marked as resolved and a resolution notification is sent.

The CertPulse REST API lets you manage endpoints, certificates, cloud accounts, and alerts programmatically. All API endpoints are under https://api.certpulse.dev/api/v1.

Authentication

API requests are authenticated using API keys. Keys are prefixed with cp_ and passed as Bearer tokens in the Authorization header.

Authorization: Bearer cp_your_api_key_here

Create API keys from Settings > API Keys in the dashboard. API keys inherit the permissions of the organization they belong to. The free plan does not include API access.

Rate limits

Rate limit headers are included in every response: X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After (when rate limited).

Endpoints

GET /api/v1/certificates

List certificates with optional filtering and pagination.

curl -s https://api.certpulse.dev/api/v1/certificates \
  -H "Authorization: Bearer cp_your_api_key_here" \
  -G \
  -d "page=1" \
  -d "per_page=25" \
  -d "status=expiring" \
  -d "source=acm"

{
  "certificates": [
    {
      "id": "cert_8f3a...",
      "common_name": "api.example.com",
      "sans": ["api.example.com", "*.api.example.com"],
      "issuer": "Amazon",
      "not_after": "2026-06-15T00:00:00Z",
      "days_until_expiry": 87,
      "source": "acm",
      "status": "valid"
    }
  ],
  "total": 142,
  "page": 1,
  "per_page": 25
}

GET /api/v1/certificates/:id

Get detailed information about a single certificate, including the full chain and scan history.

curl -s https://api.certpulse.dev/api/v1/certificates/cert_8f3a... \
  -H "Authorization: Bearer cp_your_api_key_here"

GET /api/v1/endpoints

List all monitored external endpoints with their current TLS status.

curl -s https://api.certpulse.dev/api/v1/endpoints \
  -H "Authorization: Bearer cp_your_api_key_here"

{
  "endpoints": [
    {
      "id": "ep_2b7c...",
      "hostname": "api.example.com",
      "port": 443,
      "tls_version": "TLS 1.3",
      "cipher_suite": "TLS_AES_256_GCM_SHA384",
      "last_scanned_at": "2026-03-20T08:15:00Z",
      "certificate_id": "cert_8f3a..."
    }
  ],
  "total": 12
}

GET /api/v1/cloud-accounts

List connected cloud provider accounts and their sync status.

curl -s https://api.certpulse.dev/api/v1/cloud-accounts \
  -H "Authorization: Bearer cp_your_api_key_here"

GET /api/v1/alerts

List alert rules and recent alert events.

curl -s https://api.certpulse.dev/api/v1/alerts \
  -H "Authorization: Bearer cp_your_api_key_here"

Error format

All API errors return a consistent JSON format with an HTTP status code and error message:

{
  "error": "not_found",
  "message": "Certificate not found",
  "status": 404
}

Common error codes: 400 (bad request), 401 (unauthorized — missing or invalid API key), 403 (forbidden — insufficient plan), 404 (not found), 429 (rate limited), 500 (internal server error).

Plan comparison

Upgrades and downgrades

You can upgrade or downgrade your plan at any time from Settings > Billing. Upgrades take effect immediately with prorated billing for the remainder of the current period. Downgrades take effect at the end of the current billing period — you retain access to your current tier until then.

Free trial

All paid plans include a 14-day free trial. You get full access to the plan's features during the trial. No credit card is required to start. If you don't upgrade before the trial ends, your account reverts to the free tier. Existing monitoring data is preserved.