SSL Certificate Monitoring That Goes Beyond Expiration Dates

Leave a reply
Generator Labs certificate monitoring portal showing active monitors

Most certificate monitoring tools do one thing: alert you when a certificate is about to expire. That’s useful, but expiration is only one of the ways a certificate can fail. Generator Labs certificate monitoring runs eight independently configurable checks on every scan, so you catch problems that a basic expiry check misses entirely.

What Gets Checked on Every Scan

Each monitoring profile supports up to eight alert types:

  • Expiration: configurable thresholds anywhere from 0 to 90 days out, up to 10 per profile
  • Chain integrity: catches missing or expired intermediate certificates before clients do
  • Hostname mismatch: flags certificates that don’t cover the host they’re serving
  • CA trust failure: alerts when a certificate can’t be validated to a trusted root
  • Revocation: detects certificates that have been pulled by their issuing CA
  • Fingerprint changes: tracks renewals and unexpected replacements
  • Certificate flapping: multiple fingerprint changes in a short window, often a load balancer misconfiguration
  • Missing or misconfigured CAA records: ensures only authorized CAs can issue for your domains

All eight can be toggled independently per profile, so you can be aggressive on production hosts and quieter on staging or internal infrastructure.

Monitoring Profiles

Profiles group hosts with shared settings. A common pattern is a Production profile with tight thresholds and PagerDuty alerts, a Staging profile with looser thresholds and email-only, and a separate Internal profile for private CA hosts. Profile changes apply immediately across all assigned hosts.

Internal and Private Certificate Monitoring

External checks can’t reach internal services, self-signed certificates, or private CA infrastructure. The private certificate monitoring agent is a lightweight Docker container you deploy inside your network. It checks internal hosts and reports back to the platform over outbound HTTPS. No inbound firewall rules needed, and private keys never leave your network.

Protocol Coverage

The monitor handles direct TLS on any port, plus STARTTLS for SMTP, IMAP, POP3, LMTP, FTP, and LDAP, and the implicit TLS variants: SMTPS, IMAPS, POP3S, FTPS, LDAPS. If TLS is running on it, you can monitor it.

Pricing

Certificate monitoring is $0.01 per host per day. No contracts, no minimums, no flat fees. You pay for active hosts only. Full details on the certificate monitoring pricing page.

Monitoring Internal and Private CA Certificates with Generator Labs

Leave a reply

External certificate monitoring works well for public-facing infrastructure, but it has an obvious blind spot: it can’t reach anything inside your private network. Internal APIs, databases with TLS-encrypted connections, mail servers on non-public ports, self-signed certificates, and infrastructure issued by a private CA all go completely unmonitored. Those certificates still expire. When they do, the failures tend to be worse, because internal services rarely have the same visibility as public ones.

Generator Labs internal certificate monitoring solves this with a lightweight on-premise agent you deploy as a Docker container inside your network.

How It Works

Diagram showing the Generator Labs private monitoring agent connecting internal hosts to the platform over outbound HTTPS

The agent runs inside your private network, connects to your internal hosts, retrieves their certificates, and reports the data back to the Generator Labs platform over outbound HTTPS. No inbound firewall rules are required. Private keys never leave your network. From the platform’s side, internal monitors look and behave exactly like external ones.

What It Can Monitor

The agent connects to any TLS endpoint your network can reach:

  • Internal web servers and APIs
  • Databases with TLS connections (PostgreSQL, MySQL, MongoDB, Redis)
  • Internal mail servers (SMTP, IMAP, POP3 with STARTTLS or implicit TLS)
  • IoT devices and embedded systems serving TLS on custom ports
  • Any service running TLS on any port

It runs the same eight checks as external monitoring: expiration, chain integrity, hostname validation, CA trust, revocation, fingerprint changes, flapping, and CAA records.

Private CA Support

If your internal certificates are issued by a private CA, you can import that CA’s root certificate into the platform. The agent then validates certificate chains all the way to your private root, so chain integrity checks work correctly for internally-issued certificates, not just publicly-trusted ones.

Alerts

All the same notification channels are available: email, Slack, PagerDuty, Discord, webhooks, AWS SNS, and more. Internal certificate expiration or chain failures trigger the same alert pipeline as any other monitoring event.

Getting Started

The agent is open source and available at github.com/generator-labs/agent. Deploying it takes a few minutes: pull the Docker image, set your API credentials as environment variables, and configure the hosts you want to monitor. Full setup instructions are on the internal certificate monitoring page.

GoodTLS: Expert TLS/SSL Configuration Guides for Every Stack

Leave a reply

TLS configuration is one of those things everyone knows matters, but the documentation across different platforms is fragmented, inconsistent, and sometimes outdated. GoodTLS collects expert-recommended TLS/SSL configuration guides in one place, organized by application. No sifting through Stack Overflow threads or vendor docs that haven’t been updated since TLS 1.0 was acceptable.

GoodTLS homepage showing TLS/SSL configuration guides by application

Web Server Guides

The most common use case, and where TLS configuration has the most visibility. GoodTLS covers the major web servers with guides that focus on what actually matters for a modern deployment: TLS 1.2/1.3-only configurations, AEAD-only cipher suites, OCSP stapling, and secure header settings.

Each guide goes beyond a copy-paste snippet and explains the tradeoffs: which cipher suites to drop, why session ticket rotation matters, and what HSTS preloading requires.

GoodTLS Nginx configuration guide showing protocol version settings

Mail Server Guides

Mail server TLS configuration has real deliverability implications. Get the STARTTLS settings wrong and you are either degrading security or breaking mail flow. The Postfix TLS guide and Exim TLS guide cover both outbound and inbound TLS configuration, certificate requirements, and policy enforcement. Dovecot and Sendmail are covered as well.

If you are running your own mail infrastructure, certificate hygiene is part of the picture. Certificate monitoring tracks expiry across all your domains and alerts before anything lapses. An expired cert on your SMTP server will cause delivery failures before most teams even notice. On the deliverability side, blacklist monitoring watches your sending IPs against hundreds of blocklists so you catch reputation problems early.

Database and Infrastructure Guides

Database TLS is frequently an afterthought, but it is essential for any environment where the application and database are not co-located, or where compliance requirements apply. GoodTLS covers:

For infrastructure that handles DNS over TLS or encrypted replication traffic, having a reference for the correct cipher and protocol settings saves time and avoids the configuration drift that comes from guessing.

Why Configuration Quality Matters

A misconfigured TLS stack is not just a security risk. Weak cipher suites, missing OCSP stapling, and deprecated protocol versions can trigger browser warnings, fail PCI DSS or SOC 2 security scans, or cause mail rejections from strict receiving servers. The cost of getting it wrong shows up in unexpected ways.

GoodTLS is free to use and covers most common application stacks. If you are also looking to automate certificate monitoring across your infrastructure, Generator Labs certificate monitoring tracks SSL/TLS certificate expirations with automated alerts before they become outages.

Mr. DNS: Free DNS and Network Diagnostic Tools for Sysadmins and Email Teams

Leave a reply

Mr. DNS is a free collection of DNS and network diagnostic tools built for sysadmins, email administrators, and infrastructure teams. The site has been around for years, went offline for a while, and recently relaunched with an expanded tool set. Everything runs in the browser with no account required. If you work with DNS records, mail servers, or IP reputation, there is something here you will use regularly.

Mr. DNS homepage showing DNS and network diagnostic tools

DNS Tools

The DNS lookup tool handles all common record types: A, AAAA, MX, TXT, NS, SOA, CNAME, PTR, CAA, SRV, TLSA, HTTPS, MTA-STS, and BIMI. Results include TTL, geolocation data for nameservers, and flag icons for quick visual scanning.

The DNS propagation checker queries seven global resolvers simultaneously: Cloudflare, Google, Quad9, OpenDNS, AdGuard, NextDNS, and DNS.SB. Useful when you have just made a DNS change and need to see where it has landed without waiting or querying each resolver manually.

The DNSSEC checker validates the full chain of trust: DS records, DNSKEY records, RRSIG presence, and expiry. Good for confirming a DNSSEC deployment before and after changes.

Email Tools

The email tools are where Mr. DNS gets most of its daily use. The email health checker runs a combined SPF and DMARC evaluation and returns a letter grade (A through F) for your domain. One URL, one result, easy to share with a client or manager who needs a status report.

Mr. DNS email health checker showing an A grade for generatorlabs.com

Individual checkers are also available for SPF, DMARC, and DKIM when you need to dig into a specific record. The email header analyzer parses raw RFC 2822 headers and maps the full relay chain with per-hop timing and authentication results, useful for tracing a delivery failure or diagnosing a spam classification issue.

For teams managing outbound mail infrastructure, the MTA-STS checker validates DNS records and policy files, and the BIMI checker verifies SVG logos and VMC certificates for domains using brand indicators in supported mail clients.

Blacklist Checker

The blacklist checker queries your IP or domain against 15+ major RBLs and returns results in seconds. It is a solid first step when a client reports deliverability problems or when you are onboarding a new IP range and want a quick baseline.

For teams that need ongoing coverage rather than one-off checks, blacklist monitoring from Generator Labs runs continuous checks against hundreds of data sources and sends immediate alerts when a listing is detected. The free tier covers one host with no credit card required.

SSL and Network Tools

The SSL certificate checker inspects certificate details, expiry dates, SANs, issuer chain, and key type for any domain. Useful for a quick manual check before or after a certificate renewal.

For automated tracking across many domains, certificate monitoring from Generator Labs handles the ongoing work: scheduled checks, configurable expiry alert thresholds, and multi-channel notifications before anything expires.

Other network tools include ping, traceroute, port checker, HTTP headers inspector, HTTP/2 and HTTP/3 checker, and a what is my IP tool that detects both IPv4 and IPv6 with geolocation and ASN data.

Generators

Mr. DNS includes generators for SPF records and DMARC records for teams setting up email authentication from scratch. Both walk through the options and output a ready-to-paste DNS record.

Bottom Line

Mr. DNS covers the diagnostic side of DNS and email infrastructure without requiring an account or payment. For the monitoring side, Generator Labs provides continuous blacklist monitoring and certificate monitoring with alerting, picking up where the one-shot tools leave off. Both are worth bookmarking if you manage any kind of mail or DNS infrastructure.

Generator Labs: Blacklist and Certificate Monitoring for Email and Infrastructure Teams

Leave a reply

Generator Labs provides infrastructure monitoring for teams that need to stay ahead of two specific problems: IP and domain blacklistings that kill email deliverability, and SSL certificates that expire without warning. Both products run in the same portal, so you manage everything in one place.

Blacklist Monitoring

Blacklist monitoring runs continuous checks of your IPv4 addresses, IPv6 addresses, and domains against hundreds of RBL and URIBL data sources. The moment a listing is detected, alerts go out through whatever channels you have configured: email, SMS, Slack, Discord, PagerDuty, or webhooks.

Coverage is the differentiator. Free one-shot tools check a handful of the major lists. Generator Labs checks well over a hundred data sources on a schedule, including 30+ premium sources on Enterprise and Ultimate plans that free tools do not cover. You get notified when something changes; you are not logging in to run a manual check.

Other features worth knowing:

Full IPv6 support. IPv4 and IPv6 addresses are both monitored across all plans. As more mail infrastructure goes dual-stack, IPv6 blacklisting is a real and growing issue that most monitoring tools still treat as secondary.

Shareable public reports. Every monitored host gets a public report URL you can hand to a client, ISP, or manager without giving anyone portal access.

REST API. Full programmatic access to monitoring data and controls, with client libraries for PHP, Node.js, and Python.

Generator Labs RBL Monitoring hosts list

Blacklist Monitoring Pricing

  • Free: 1 host, 48-hour check interval, 100+ data sources. Free forever, no credit card required.
  • Professional: $8/month for 20 hosts at 24-hour intervals.
  • Enterprise: $16/month for 50 hosts at 12-hour intervals, premium data sources, custom run times.
  • Ultimate: $0.005 per check, unlimited hosts, custom intervals, all premium sources.

The Ultimate pay-per-check plan scales cleanly for larger deployments. Running 50 hosts daily against 150 data sources works out to roughly $11/month.

Certificate Monitoring

Certificate monitoring tracks SSL/TLS certificate expirations across your domains and sends alerts before anything expires. Add your domains, set alert thresholds, and the service runs automatically from there.

Both publicly-trusted and private or internal CA certificates are supported, which matters for teams running internal infrastructure that does not go through a public CA. Certificate expiry causes outages that are entirely preventable; automated monitoring removes the spreadsheet tracking and calendar reminders that most teams fall back on.

Generator Labs Certificate Monitoring monitors list

Monitoring profiles let you define reusable alert configurations across multiple monitors. Set custom expiration alert windows (5, 15, 30, 60 days, or any combination you need), choose which failure types trigger alerts, and assign private CAs or internal monitoring agents. One profile can cover dozens of monitors.

Generator Labs Certificate Monitoring add profile dialog

Certificate Monitoring Pricing

Certificate monitoring is priced at $0.01 per host per day, with no fixed tiers. You pay for what you monitor and can add or remove domains at any time.

Who It Is For

  • Email service providers and hosting companies monitoring large IP ranges
  • IT and security teams who need immediate notification when a host gets listed
  • Organizations managing many domains who need certificate expiry visibility without manual tracking
  • Developers who want API access to monitoring data for automation or integration

Get Started

Generator Labs offers continuous blacklist monitoring and certificate monitoring with solid alert coverage and a complete API. The free tier is a real free tier. Sign up at portal.generatorlabs.com to get started, no credit card required.