Self-hosted · Open source · Free

SSL certificate monitoring. And then some.

Never miss a certificate expiration again. TLSentinel scans every server you give it — internal, private, or public — alerts you before anything expires, and grades the security of every endpoint. Runs on your own infrastructure.

Get Started

Dashboard — fleet overview, expiring certs, and recent scan errors

Endpoints — every monitored deployment, with status and next expiry

Monitor — every active certificate across the fleet, sorted by expiry

Certificates — inventory of every certificate seen during scans

TLS Posture — protocol acceptance, certificate authorities, and weak cipher report

Features

Everything you need, in one place.

Distributed Scanner Agents

Reach servers behind firewalls, on private networks, and in isolated environments. The scanner runs where you do.

Email Alerts

Get warned before any certificate expires, with enough time to do something about it.

Security Posture Grading

Each server gets a letter grade for its security configuration. Spot weak settings before they become incidents.

Single Sign-On

Sign in with Entra ID, Google, Okta, or any OIDC provider. Local accounts work too. Role-based access controls who can manage vs. who can only view.

Full Certificate Inventory

Every certificate you've ever seen, with full history. Answer "what changed, when, and on which server" months later.

REST API

Everything in the dashboard is also available through the API. Add servers, query status, integrate with your tooling.

How it works

Up and running in minutes.

TLSentinel is designed to self-host with Docker Compose. No cloud account required.

Deploy with Docker Compose

Spin up the server and a PostgreSQL database. The server runs database migrations automatically on first start.

Create scanner tokens in the dashboard and deploy scanner agents to any machine that can reach your hosts. Each agent authenticates with its token and polls for work.

Add your hosts

Add hosts through the dashboard or API. Assign them to a scanner and set the scan interval. The scanner handles the rest.

Get alerted before it's too late

Configure your mail server and TLSentinel will email your admins at 30, 14, 7, and 1 day before each certificate expires. Automatically.

SSL certificate monitoring. And then some.

Everything you need, in one place.

Up and running in minutes.

Ready to monitor your certificates?