Never let a certificate expire again.

TLSentinel monitors your TLS certificates across every host, alerts you before they expire, and gives you a clear view of your infrastructure's certificate health.

Get Started Read the Docs
Self-hosted
Your data, your infrastructure
Open source
Free forever
Docker
Deploy in minutes
REST API
Automate everything
Features

Everything you need to stay ahead of expiry.

TLSentinel keeps a complete picture of your certificate inventory and gets out of your way.

🔍
Distributed Scanner Agents
Deploy lightweight scanner agents anywhere in your infrastructure. Each agent polls for assigned hosts, probes TLS endpoints, and ships results back to the server.
🔔
Expiry Alerts by Email
Automatic email alerts at 30, 14, 7, and 1 day thresholds. Each threshold fires once per certificate — no alert storms, no duplicates.
📊
Clean Dashboard
A React dashboard gives you instant visibility into certificate status across all hosts — searchable, filterable, and role-aware.
🔐
OIDC + Local Auth
Sign in with any OIDC provider (Entra ID, Google, Okta) or use local accounts. Role-based access controls who can manage vs. who can only view.
🗃️
Full Certificate Inventory
Every certificate ever seen is stored and tracked — subject, SANs, issuer, fingerprint, and full chain. History is preserved across re-scans.
🔌
REST API
Every action available in the dashboard is also available through the REST API. Automate ingestion, query expiry status, and integrate with your existing tooling.
How it works

Up and running in minutes.

TLSentinel is designed to self-host with Docker Compose. No cloud account required.

1
Deploy with Docker Compose
Spin up the server and a PostgreSQL database. The server runs database migrations automatically on first start.
2
Register scanner agents
Create scanner tokens in the dashboard and deploy scanner agents to any machine that can reach your hosts. Each agent authenticates with its token and polls for work.
3
Add your hosts
Add hosts through the dashboard or API. Assign them to a scanner and set the scan interval. The scanner handles the rest.
4
Get alerted before it's too late
Configure your mail server and TLSentinel will email your admins at 30, 14, 7, and 1 day before each certificate expires. Automatically.

Ready to monitor your certificates?

TLSentinel is free, open source, and runs entirely on your own infrastructure.

View on GitHub Releases