Features
Resources
Feature · Enterprise
DNS Spy discovers every SSL certificate across your domains automatically — then tracks expiration, audits cryptographic strength, and alerts you before anything breaks. No manual certificate imports. No missed renewals.
No credit card required · 7-day trial · Full Enterprise access
An expired SSL certificate doesn't give you a grace period. One minute it's valid, the next your users see "Your connection is not private" and bounce. Your API clients throw TLS verification errors. Your webhook deliveries fail silently. And if you have multiple servers behind a load balancer, the expired cert might only be on one of them — causing intermittent failures that are maddeningly difficult to diagnose.
Expiration is only half the problem. Weak key lengths, deprecated TLS protocols, hostname mismatches, and broken certificate chains are all security issues that exist right now on production endpoints — silently, until someone checks. Most teams check during setup and never again.
DNS Spy discovers your certificates through your DNS records, tracks every detail, and audits them continuously. When something is about to expire or is misconfigured, you know about it — with enough time to fix it.
DNS Spy resolves every A and AAAA record to its IP addresses, then connects to each IP with the correct SNI hostname to fetch the certificate and full chain. Every endpoint is checked — not just the first IP.
Six security checks evaluate each certificate: hostname match, key strength, signature algorithm, TLS version, chain validity, and self-signed status. Results feed into the Security Center's weighted scoring.
Expiration is tracked at 90, 30, and 7 days — plus already-expired. Security check state changes trigger instant notifications via email, Slack, Discord, or PagerDuty.
Beyond expiration tracking, DNS Spy audits certificate configuration and cryptographic strength with six automated checks — each explaining not just what failed, but why it matters.
Checks if the certificate's common name or SANs match the DNS record hostname. A mismatch causes browser security warnings and breaks HTTPS trust.
Impact: Users see "Your connection is not private" errors. Search engines may deindex pages. API integrations fail TLS verification.
Checks for RSA keys shorter than 2048 bits or EC keys shorter than 256 bits. Weak keys can be factored by modern hardware.
Impact: Vulnerable to cryptographic attacks. Major browsers and compliance frameworks (PCI DSS) require minimum key lengths.
Checks for deprecated signing algorithms like SHA-1 or MD5. These algorithms have known collision vulnerabilities.
Impact: Browsers display security warnings or refuse to connect. Certificates signed with SHA-1 are rejected by all modern browsers.
Checks if the server negotiates TLS 1.0 or TLS 1.1 — protocols with known vulnerabilities (BEAST, POODLE, Lucky13).
Impact: All major browsers have dropped TLS 1.0/1.1 support. PCI DSS and NIST both require TLS 1.2 or higher.
Checks for incomplete or invalid certificate chains — missing intermediate certificates or broken chain of trust.
Impact: Some clients (especially mobile and API clients) fail to verify the certificate if intermediates are missing, even when browsers handle it gracefully.
Checks if any certificates are self-signed (not issued by a trusted CA). Self-signed certificates trigger browser warnings.
Impact: Users see full-page security warnings. HTTPS trust is broken. Acceptable for internal/dev environments but never for production.
Every discovered certificate is stored with full metadata — searchable, sortable, and always up to date.
Common Name
The primary hostname the certificate is issued for.
Subject Alternative Names
Additional hostnames covered by the certificate (SANs).
Issuer Organization
The Certificate Authority that issued the certificate.
Serial Number
Unique identifier assigned by the CA.
Signature Algorithm
The algorithm used to sign the certificate (e.g., SHA256-RSA).
Key Type & Length
The public key algorithm and strength (e.g., RSA 2048, EC 256).
Valid From / Valid To
The certificate's validity period.
Self-Signed Status
Whether the certificate is self-signed (not CA-issued).
Chain Depth & Validity
The number of certificates in the chain and whether it validates correctly.
TLS Version
The TLS protocol version negotiated during the handshake.
IP Address & Port
The specific endpoint where the certificate was discovered.
First / Last Seen
When the certificate was first discovered and last verified.
DNS Spy discovers SSL certificates by connecting to every IP address behind your DNS records. No manual certificate uploads, no hostname lists — certificates are found through your live DNS infrastructure.
When a domain scan runs, DNS Spy resolves A and AAAA records, connects to each IP on port 443 with the correct SNI hostname, and fetches the full certificate and chain. This runs in parallel across all record/IP pairs for efficiency. New certificates are automatically added to your inventory.
SSL certificate expiration is tracked through the Security Center with checks at 90, 30, and 7 days — plus a critical alert for certificates already expired. Four windows to catch a problem before it becomes an outage.
Expiration alerts integrate with the unified Expiration Calendar alongside domain registration expiration. One view shows everything that's expiring across your entire portfolio — sorted by urgency, filterable by type.
Beyond expiration, DNS Spy audits certificate configuration and cryptographic strength: hostname mismatches, weak keys, deprecated TLS protocols, invalid chains, self-signed certificates, and weak signature algorithms.
Each check runs automatically during domain scans and feeds into the Security Center's weighted scoring. A hostname mismatch (high criticality, 3x weight) impacts your security score significantly more than a deprecated protocol (medium criticality, 2x weight).
Every certificate is stored with complete metadata: common name, SANs, issuer, serial number, key type and length, signature algorithm, validity dates, chain depth, TLS version, and the IP address where it was found.
The certificate inventory is searchable and sortable by any field. See which certificates are issued by Let's Encrypt vs DigiCert, find all certificates using RSA-2048, or list every cert expiring in the next 30 days — all from a single view.
DNS Spy connects to every IP behind each DNS record — not just the first one. If your A record resolves to 4 load-balanced IPs, all 4 certificates are fetched and checked independently.
This catches the scenario where one server in a pool has an expired certificate, a mismatched hostname, or a different certificate version than the others. Most monitoring tools check one IP and assume the rest match. DNS Spy doesn't make that assumption.
SSL security check results feed into the Security Center's state-change notification system. You're alerted when a check transitions from pass to fail (or fail to pass) — not every time it runs.
When a certificate is renewed and the "SSL Certificate Expiring (7 Days)" check transitions from fail to pass, you get a confirmation notification. When a new certificate is deployed with a hostname mismatch, you're alerted immediately. Zero noise, full coverage.
When you manage dozens of client domains, each with their own certificates from different CAs with different renewal schedules, tracking expiration becomes a full-time job. DNS Spy discovers every certificate automatically and gives you a unified Expiration Calendar across all clients.
An expired certificate doesn't just show a browser warning — it breaks API integrations, webhook deliveries, and mobile app connections. DNS Spy's tiered alerts at 90, 30, and 7 days give your team multiple windows to renew before users are impacted.
Weak keys, deprecated TLS versions, and self-signed certificates on production endpoints are security audit findings waiting to happen. DNS Spy runs these checks continuously so your team knows about configuration issues as they're introduced — not during the annual PCI audit.
A hostname mismatch or expired certificate on your checkout page or login portal means lost transactions and eroded trust. DNS Spy's multi-endpoint discovery checks every server behind your load balancer — because the one with the expired cert is the one your highest-value customer will hit.
6
SSL/TLS security checks
4
Expiration alert tiers
Every
IP endpoint checked
12
Certificate fields tracked
No credit card required · 7-day trial · Full Enterprise access
Monitor 60+ record types across all authoritative nameservers.
40+ automated security checks with weighted scoring.
Look-alike domain detection and brand protection.
Track WHOIS changes and domain expiration dates.
Organize domains by client, environment, or business unit.
Email, Slack, Discord & PagerDuty alert channels.
Connect Claude & AI agents to your DNS monitoring.
DNS Spy discovers SSL certificates automatically through your DNS records. When a domain scan runs, DNS Spy resolves A and AAAA records to their IP addresses, then connects to each IP on port 443 with the correct SNI (Server Name Indication) hostname to fetch the certificate. This means every certificate across every record is discovered without manual configuration — including certificates on subdomains, CDN endpoints, and load-balanced infrastructure.
For every discovered certificate, DNS Spy stores: the common name and subject alternative names (SANs), issuer organization and common name, serial number, signature algorithm, key type and length, validity dates, self-signed status, chain depth and chain validity, TLS version negotiated, the IP address and port where it was found, and first/last seen timestamps. The full PEM certificate and chain are also stored.
SSL certificate expiration is tracked through the Security Center with checks at four intervals: 90 days (low severity — plan ahead), 30 days (medium severity — act now), 7 days (high severity — urgent), and already expired (high severity — critical). When a certificate enters any of these windows, the Security Center flags it and sends a state-change notification through your configured channels.
DNS Spy runs six SSL/TLS security checks: hostname mismatch (certificate doesn't match the DNS record it serves), weak key length (RSA < 2048 bits or EC < 256 bits), weak signature algorithm (SHA-1 or MD5), deprecated TLS protocol (TLS 1.0 or 1.1), invalid certificate chain (incomplete or broken chain), and self-signed certificates. All SSL/TLS security checks are available on the Enterprise plan.
An SSL hostname mismatch occurs when the certificate's common name or subject alternative names don't match the hostname that the DNS record resolves to. This causes browser security warnings ("Your connection is not private") and can indicate a misconfigured certificate, a certificate deployed to the wrong server, or a CDN endpoint serving someone else's certificate for your domain.
Yes. DNS Spy records the TLS version negotiated during the SSL handshake with each IP address. The Deprecated TLS Protocol check flags connections that negotiate TLS 1.0 or TLS 1.1 — protocols with known security vulnerabilities that major browsers have deprecated. This helps you identify servers that need their TLS configuration updated.
DNS Spy connects to every IP address that each DNS record resolves to. If your A record points to multiple IPs (load-balanced), or if a CNAME resolves through a CDN, DNS Spy fetches the certificate from each endpoint independently. This catches scenarios where one server in a pool has an expired or misconfigured certificate while others are fine.
Yes. DNS Spy provides a dedicated SSL Certificates list view showing every certificate across all your domains — sortable by common name, issuer, expiration date, and status. Combined with the Expiration Calendar, you get a unified view of every certificate that matters to your organization.
SSL certificate discovery and the Expiration Calendar are available on all paid plans. SSL/TLS security checks (hostname mismatch, weak keys, deprecated protocols, chain validation, self-signed detection, weak signatures) and SSL certificate expiration alerts require the Enterprise plan. All features are available during the 7-day free trial.
SSL certificates are fetched during each domain scan cycle as part of the scanning pipeline. The fetch runs in parallel across all record/IP pairs for efficiency. Security checks have a 30-minute throttle between runs for the same domain, ensuring certificates stay current without excessive connection overhead.
Most teams don't know the exact number — or which ones expire next. Start your free trial and find out in minutes.
Start Free Trial
Features
Resources