Overview
CertLens Documentation
CertLens is a free certificate intelligence platform for engineers, security teams, and DevOps. It analyses X.509 certificates, JKS keystores, PKCS#12 files, and live TLS endpoints — detecting expiry, trust chain issues, weak algorithms, and more.
Uploaded certificates are processed in memory and never stored permanently. No account needed for basic scanning.
Certificate Analysis
Upload JKS, PKCS#12, or PEM and get full chain analysis
TLS Scanner
Scan any live domain — handles expired & self-signed certs
Expiry Monitor
Watch domains, get email alerts before certs expire
Renewal Assistant
4-step CSR generation and deployment wizard
Cert Comparison
Diff two certificates side by side across 12 fields
CI/CD API
REST API for GitHub Actions, Jenkins, GitLab pipelines
Supported Certificate Formats
PEM
.pem · .crt · .cer
Base64 X.509 — single cert or multi-cert chain bundle
JKS
.jks
Java KeyStore — multiple aliases, password required
P12
.p12 · .pfx
PKCS#12 — key + cert + chain bundle, password required
DER
.der
Binary X.509 format
TLS
hostname
Live cert chain fetched directly from server port 443
Keystore passwords are used only during the scan and never stored or logged.
Certificate Analysis
Upload one or more files from the homepage. CertLens accepts multiple files simultaneously.
1
Upload your file
Select PEM, JKS, PKCS#12, or DER. Multiple files supported.
2
Enter keystore password
For JKS and P12 files. Leave blank if not set — CertLens tries common defaults.
3
Click Analyze Certificates
Results appear instantly — chain diagram, risk score, per-cert details, and fix commands.
What CertLens detects
🔗 Trust chain gaps — missing intermediate or root CAs
📅 Expiry risk — exact days remaining with severity levels
🔑 Weak algorithms — SHA-1, MD5, RSA <2048 bits
🏷️ SAN mismatches — CN doesn't match Subject Alternative Names
🔒 Self-signed certs — no CA chain present
🃏 Wildcard certs — flagged for awareness
📦 Multi-alias keystores — per-alias risk inventory for JKS/P12
🎯 Certificate intent — server auth, client auth, code signing, SWIFT
TLS Scanner
Enter any hostname to fetch and analyse its live certificate chain. No file upload needed.
1
Enter domain
Type
example.com or api.example.com:8443 for custom ports.2
CertLens connects
DNS resolution → TCP connect → TLS handshake. For expired/self-signed certs, CertLens retries with verification disabled to still retrieve the cert details.
3
Full analysis
Same analysis as file upload — chain, risk score, expiry, algorithm strength.
Government and enterprise servers (e.g. some Indian government portals, banking systems) may block cloud provider IP ranges at the firewall. If a scan times out, the server is blocking GCP IPs — there is no workaround without a proxy.
Useful test domains
expired.badssl.com — expired certificate (CRITICAL) self-signed.badssl.com — self-signed cert (MEDIUM) wrong.host.badssl.com — hostname mismatch untrusted-root.badssl.com — untrusted root CA google.com — healthy reference cert
Sample Certificates
Click any sample chip on the homepage upload form to instantly load a test certificate — no file needed. Great for exploring CertLens features.
| Sample | Password | What it tests |
|---|---|---|
| ✅ Secure Chain | changeit | Full chain, SECURE result, score 100 |
| ⚠️ Expiring Soon | changeit | HIGH risk, 18-day expiry warning |
| 🔴 Expired | changeit | CRITICAL, expired badge, negative days |
| ⛓️ Missing Intermediate | changeit | Chain gap, missing CA shown in red |
| 🔒 Self-Signed | none | Self-signed flag, MEDIUM risk |
| 🗂️ Multi-Leaf Keystore | changeit | Multiple aliases, mixed risk levels |
| 📜 Chain Bundle PEM | none | Full chain in one PEM file |
Understanding Results
Every scan produces a detailed result page with these sections:
Risk Banner
Colour-coded SECURE / LOW / MEDIUM / HIGH / CRITICAL with a 0–100 security score. Red = act now, green = healthy.
Certificate Intent
Detected purpose — server auth, client auth, code signing, SWIFT/banking. Shown as a badge above the chain.
Chain Diagram
Visual node flow: Leaf → Intermediate → Root. Missing nodes shown in red. Hover for details.
Certificate Inventory
For JKS/P12 with multiple entries — table of all aliases with expiry, crypto, and per-alias risk.
Findings & Fixes
Each issue has WHY (root cause), IMPACT (what breaks), and FIX (exact terminal commands).
Certificate Details
Expandable accordion per cert — subject, issuer, validity, fingerprint, SANs, key usage.
PDF Report
Download a full audit-ready PDF of the scan — suitable for compliance and team sharing.
Renew & Compare
Jump directly to the Renewal Assistant or Certificate Comparison from any result page.
Expiry Monitor
Watch multiple domains and track certificate health over time. Requires a free account (Google sign-in).
1
Sign in with Google
Free, no password needed. Your data is stored privately in your account.
2
Add a domain
Click + Add Domain, enter the hostname, set alert threshold (default 30 days) and scan interval (default 24 hours).
3
CertLens watches it
Immediate scan on add, then periodic scans. Results saved to your account history.
4
Get alerted
Email alerts fire automatically when a cert hits your threshold. Daily digest at 8am UTC.
Dashboard columns
| Column | Description |
|---|---|
| Domain | Hostname being monitored |
| Last Scanned | Timestamp of most recent scan |
| Days Left | Days until expiry. Red = expired, amber = <30 days, green = healthy |
| Risk | Overall risk level from last scan |
| Score | Security score 0–100 |
| Algorithm | Key type and signature algorithm (e.g. RSA-2048 / SHA-256) |
Per-domain actions
🔄 Scan — trigger immediate scan, refresh row
🔄 Renew — open Renewal Assistant pre-filled with this domain
📧 Report — email a certificate report to your account email
📋 History — show last 20 scan results for this domain
🗑️ Remove — stop monitoring this domain
Alert thresholds
| Condition | Severity | Action |
|---|---|---|
| Already expired | CRITICAL | Renew immediately |
| ≤ 7 days remaining | CRITICAL | Renew this week |
| ≤ 30 days remaining | HIGH | Schedule renewal |
| ≤ your notify threshold | MEDIUM | Plan renewal |
Alerts are deduplicated — the same alert type for the same domain is only generated once per day. Acknowledge individual alerts or click Acknowledge All to clear the panel.
Email Alerts
CertLens sends HTML emails to your Google account address automatically when a monitored certificate is at risk.
Automatic alerts
Fires immediately when a scan detects expiry risk. Includes cert details, expiry date, and a link to the monitor.
Daily digest
At 8:00 AM UTC daily — one email listing all at-risk domains across your account.
On-demand report
Click 📧 Report on any domain row to instantly email yourself a full certificate report, regardless of risk level.
Emails are sent from
certlens@navsatech.dev. Check your spam folder if not received. Alerts are sent from SendGrid — no data is shared.Certificate Renewal Assistant
A 4-step wizard that guides you through the full renewal process — from CSR generation to deployment. Access via the 🔄 Renew button in the monitor or from a scan result. Fields are pre-filled from your existing certificate.
1
Verify certificate details
Review and edit: CN, Organisation, OU, Country, State, City, SANs, key type (RSA-2048/4096, EC P-256/P-384), and validity period.
2
Generate CSR & private key
Two options:
Browser-side (recommended) — private key generated in your browser using Web Crypto API. Never sent to any server.
Server-side — full CSR + private key generated on CertLens, returned for download. Key is not stored after your session.
Browser-side (recommended) — private key generated in your browser using Web Crypto API. Never sent to any server.
Server-side — full CSR + private key generated on CertLens, returned for download. Key is not stored after your session.
3
Submit to your CA
Copy your CSR and submit it. Guided instructions for Let's Encrypt (Certbot), DigiCert, Sectigo, and Internal CA (OpenSSL signing commands).
4
Deploy the new certificate
Copy-paste deployment commands for Nginx, Apache, Java/JKS (keytool), Kubernetes (TLS secret), and Node.js. All pre-filled with your actual CN and domain.
Save your private key immediately after generation. It is shown once and cannot be recovered. Use the ⬇ Download button before proceeding to Step 3.
Certificate Comparison
Diff two certificates side by side across 12 fields. Useful for audits, verifying renewals, and spotting unintended changes.
Access at /compare or via the Compare link in the navbar.
How to use
1
Upload or paste Cert A and Cert B
Each side accepts a file upload (PEM, JKS, P12) or a pasted PEM block. Enter the keystore password if needed.
2
Click Compare
Results appear instantly with a diff table and summary.
Fields compared
📋 Common Name (CN)
🏢 Subject (full DN)
🏛️ Issuer
🌐 Subject Alternative Names
📅 Valid From / Valid To
⏰ Days Remaining
🔢 Serial Number
🔑 Key Type
✍️ Signature Algorithm
🔏 Fingerprint (SHA-256)
📌 X.509 Version
Changed rows are highlighted in amber. Green/red shading shows which certificate is better — e.g. more days remaining = green, SHA-1 = red. Risk level and security score are shown side-by-side at the bottom.
CI/CD API
A REST API for integrating certificate scanning into any pipeline. Returns a passed boolean that pipelines can use as a gate. Requires a free account.
Getting started
1
Generate an API key
Go to API Keys → Generate Key. Add a label (e.g. "GitHub Actions"). The full key is shown once — save it immediately.
2
Add to your pipeline secrets
Store as
CERTLENS_API_KEY in GitHub Secrets, GitLab Variables, or Jenkins Credentials.3
Call the API
Use curl or any HTTP client. Returns HTTP 200 if passed, 422 if failed.
Endpoints
| Method | Path | Description | Auth |
|---|---|---|---|
| GET | /api/v1/status | Health check | None |
| POST | /api/v1/scan/domain | Scan a live TLS domain | X-API-Key |
| POST | /api/v1/scan/file | Upload and scan a cert/keystore | X-API-Key |
Domain scan — request body
{
"domain": "app.example.com", // required
"port": 443, // optional, default 443
"fail_if_days_below": 30, // optional, default 30
"fail_if_risk": ["CRITICAL", "HIGH"] // optional, default ["CRITICAL"]
}
File scan — form fields
file — certificate file (PEM, JKS, P12) password — keystore password (optional) fail_if_days_below — integer, default 30 fail_if_risk — comma-separated, e.g. "CRITICAL,HIGH"
Response
{
"passed": true,
"risk_level": "SECURE",
"security_score": 100,
"days_left": 287,
"expires": "2027-01-15 10:30 UTC",
"common_name": "app.example.com",
"issuer": "CN=Let's Encrypt R10",
"sans": ["app.example.com", "www.example.com"],
"key_type": "RSA-2048",
"sig_algo": "SHA256",
"missing_cas": [],
"fail_reasons": [],
"scanned_at": "2026-04-11T08:00:00Z"
}
HTTP
200 = passed. HTTP 422 = failed (cert issue). HTTP 401 = invalid key. HTTP 500 = scan error.GitHub Actions
- name: Check certificate expiry
run: |
curl -sf -X POST \
https://certlens.navsatech.dev/api/v1/scan/domain \
-H "X-API-Key: ${{ secrets.CERTLENS_API_KEY }}" \
-H "Content-Type: application/json" \
-d '{"domain":"${{ env.DOMAIN }}","fail_if_days_below":30}' \
| jq -e '.passed'
GitLab CI
cert-check:
script:
- |
curl -sf -X POST \
https://certlens.navsatech.dev/api/v1/scan/domain \
-H "X-API-Key: $CERTLENS_API_KEY" \
-H "Content-Type: application/json" \
-d "{\"domain\":\"$CI_ENVIRONMENT_URL\",\"fail_if_days_below\":30}" \
| jq -e '.passed'
Jenkins (Groovy)
def result = sh(
script: """curl -sf -X POST \
https://certlens.navsatech.dev/api/v1/scan/domain \
-H 'X-API-Key: ${CERTLENS_API_KEY}' \
-H 'Content-Type: application/json' \
-d '{"domain":"${DOMAIN}","fail_if_days_below":30}' """,
returnStdout: true
)
def json = readJSON text: result
if (!json.passed) error("Cert failed: ${json.fail_reasons}")
File scan example
curl -X POST https://certlens.navsatech.dev/api/v1/scan/file \
-H "X-API-Key: cl_your_key_here" \
-F "file=@keystore.jks" \
-F "password=changeit" \
-F "fail_if_days_below=30" \
| jq '{passed, risk_level, days_left, fail_reasons}'
Maximum 5 active API keys per account. Keys can be revoked instantly from the API Keys page. Each key records its last-used timestamp.
AI Copilot
An AI-powered PKI assistant available on every page via the Copilot button in the bottom-right corner. Powered by Google Gemini.
What it can help with
🛠️ TLS errors — PKIX path building failed, certificate verify failed, hostname mismatches
☕ Java keystores — keytool commands, JKS to PKCS#12 migration, alias management
🔗 Trust chains — root CA, intermediate CA, AIA chasing, chain validation
🔧 OpenSSL — s_client, x509, verify, pkcs12 commands
🏦 SWIFT PKI — SAG certificates, SWIFTNet hierarchy, BIC-based naming
🔄 Renewal guidance — CSR generation, CA submission, deployment steps
Scan-aware responses
When a scan result is active, the Copilot receives the full scan context — risk level, expiry, chain details, missing CAs, and issues. Ask "why is my chain failing?" and get answers specific to your actual certificate, not generic advice.
Example questions
Why is my cert failing validation? How do I fix a missing intermediate CA? What does PKIX path building failed mean? How do I import a PKCS#12 into a JKS keystore? My SWIFT SAG connection is failing — what cert do I need? What's the difference between SHA-256 and SHA-1?
Risk Levels
| Level | Score | Conditions | Action |
|---|---|---|---|
| CRITICAL | 0–30 | Expired, OR <7 days, OR SHA-1/MD5, OR RSA <1024 bits | Renew immediately — service may already be failing |
| HIGH | 31–55 | 7–30 days remaining, OR RSA-1024, OR missing intermediate CA | Renew this week |
| MEDIUM | 56–79 | 30–90 days remaining, OR self-signed, OR wildcard cert | Schedule renewal soon |
| LOW | 80–89 | 90–180 days remaining, minor issues | Monitor |
| SECURE | 90–100 | >180 days, full trusted chain, RSA-2048+/EC, SHA-256+ | No action needed |
Privacy & Security
Files never stored
Uploaded certificates are processed in memory and discarded immediately after analysis. Not written to disk.
Passwords not logged
Keystore passwords are used only during the scan and never stored, logged, or transmitted.
Browser-side key gen
The Renewal Assistant's browser-side option generates your private key in your browser. It never reaches the server.
Google OAuth only
No passwords stored by CertLens. Authentication delegated entirely to Google.
Firestore isolation
Monitor data stored in Google Cloud Firestore under your user ID. Only you can access your domains and scan history.
No ads, no tracking
CertLens displays no ads and shares no data with third parties.