Certificate Tracking
Automatically discover and track TLS/SSL certificates across your infrastructure with expiration monitoring and renewal workflows.
Overview
The certificate tracking system discovers TLS/SSL certificates across all connected providers and tracks their lifecycle. It monitors expiration dates, detects certificate changes, and provides automated renewal workflows to prevent certificate-related outages.
Certificate discovery
Certificates are discovered from multiple sources:
| Source | Certificates detected |
|---|---|
| AWS Certificate Manager | ACM-managed certificates |
| AWS IAM | Server certificates stored in IAM |
| Azure Key Vault | Certificates in Key Vault |
| GCP Certificate Manager | Google-managed certificates |
| Kubernetes | TLS secrets in Ingress and Gateway resources |
| Network probes | Certificates discovered via TLS handshake probes on public endpoints |
Expiration tracking
Every discovered certificate is tracked with its expiration date:
- Dashboard view -- all certificates with days-to-expiration, sorted by urgency
- Expiration timeline -- calendar view of upcoming certificate expirations
- Alert thresholds -- configurable alerts at 90, 60, 30, 14, 7 days before expiration
- Chain validation -- detect incomplete or invalid certificate chains
- Subject tracking -- identify certificates by Common Name (CN) and Subject Alternative Names (SANs)
Renewal automation
For certificates managed by AWS ACM, Azure Key Vault, or GCP Certificate Manager, Knowledge Tree can trigger automated renewal:
- Detection -- certificate is within the renewal window
- Notification -- certificate owner is notified via email/Slack/PagerDuty
- Renewal -- automated renewal request through the provider API
- Verification -- new certificate is validated and added to the graph
- Cleanup -- old certificate is archived or removed per policy
Non-renewable certificates
Certificates from external authorities or manually uploaded to IAM cannot be auto-renewed. These are flagged for manual renewal with instructions.
Reporting
Certificate status reports can be generated on demand or on a schedule:
- Expiration report -- all certificates with upcoming expirations
- Coverage report -- which endpoints have valid certificates vs. which are missing or expired
- Compliance report -- certificate compliance with internal policies (max validity period, allowed CAs)
- Audit trail -- full history of certificate changes and renewals
# Query certificate status
GET /api/v1/certificates?scope=production
{
"total": 42,
"expiring_within_30_days": 3,
"expired": 0,
"by_provider": {
"aws": 28,
"azure": 10,
"gcp": 4
},
"alerts": [
{
"certificate_id": "arn:aws:acm:us-east-1:123:certificate/abc",
"subject": "*.acme.com",
"expires_at": "2025-07-15T00:00:00Z",
"days_remaining": 14,
"status": "alert"
}
]
}