Certificate Transparency monitor for all your domains
See every certificate issued for your domains and subdomains in public Certificate Transparency logs: common name, validity window, issuer, and serial number.
Discover subdomains you are not monitoring yet
The same Certificate Transparency data reveals subdomains across your domain, collected from CT log entries and your main certificate's SANs. Add any of them to monitoring in one click.
Subdomain discovery is sourced from public CT logs and certificate SANs; it does not brute-force or scan your infrastructure.
How the Certificates Manager works
The Certificates Manager periodically pulls public Certificate Transparency (CT) logs for each domain you monitor and lists every certificate seen for it and its subdomains. For each entry you get the common name, identity (SAN), validity window (not before and not after), issuer, and serial number.
CT logs record every certificate issued by every public CA, so this is where you catch a certificate you did not expect: a mistaken issuance, a compromised CA, or an unauthorized certificate for your brand. CT data is shown for review; the alerts come from SSL monitoring.
It is enabled automatically when SSL monitoring is on, with nothing extra to install. The per-site certificate checks (chain, expiry, TLS, cipher) live in SSL monitoring; the Certificates Manager is the CT-log view across your domains and subdomains.
See every certificate issued for your domain
A Certificate Transparency log inventory
Certificates can be issued for your domain by any public CA, from anywhere. The Certificates Manager lists every certificate seen in CT logs for your domain and its subdomains, each with its common name, SAN, validity window, issuer, and serial number, so you have one place to review what exists.
Spot unexpected or unauthorized issuance
Catch a certificate you did not request
An attacker who obtains a valid certificate for your domain can impersonate your site convincingly. Because CT logs are public and complete, a certificate you did not request shows up here, so you can investigate a mistaken issuance, a compromised CA, or an outright unauthorized certificate.
Discover subdomains from your certificates
Surfaced from CT logs and certificate SANs
The same CT data reveals subdomains you may not be monitoring yet, collected from CT log entries and the SANs on your main certificate. Each discovered subdomain comes with an Add Site action, so turning a discovery into a monitored site is one click.
Works with SSL monitoring
Enabled automatically, no separate setup
The Certificates Manager turns on with SSL monitoring, with nothing extra to configure. The per-site chain, expiry, TLS, and cipher checks live in SSL monitoring; the Certificates Manager is the Certificate Transparency view that sits alongside them.
See all your certificates in 60 seconds
Free plan, no credit card. Included on every plan.
Everything you need to monitor a website. In one workspace.
A quick look at other WebPixie features.
Why teams choose WebPixie for certificate management
Set up in 60 seconds
No agent to install. The Certificates Manager turns on with SSL monitoring; add a domain and WebPixie pulls its Certificate Transparency history.
Your whole site in one workspace
The certificate inventory sits next to uptime, SSL, DNS, domain, and link health, with one dashboard across all of them.
Built on SSL monitoring
Per-site validation and expiry alerts come from SSL monitoring; the Certificates Manager is where you review the Certificate Transparency inventory.
Frequently Asked Questions
Common questions about the certificate manager.
WebPixie surfaces certificate validity, chain trust, expiration, TLS configuration, and ownership details for each monitored site. SSL monitoring extracts the full certificate chain from leaf to intermediate to root, then verifies cryptographic signatures for RSA and EC/ECDSA certificates. It also reports TLS version, cipher suite, key exchange, key strength, Subject Alternative Names, OCSP and CRL endpoints, and Extended Key Usage OIDs. Expiration tracking is included, with default warnings 15 days before a certificate expires so teams have time to renew. SSL check failures and expiration events can create incidents through incident management, depending on your plan. Teams managing several domains can use the Certificates Manager to keep certificate status centralized across domains and subdomains.
Yes, WebPixie tracks SSL certificate status, expiration, trust chain, and TLS configuration for monitored sites. SSL monitoring runs daily checks that validate the full certificate chain from leaf to intermediate to root, verify cryptographic signatures, and inspect TLS version, cipher suite, key exchange, and key strength. WebPixie also surfaces Subject Alternative Names, OCSP and CRL endpoints, and Extended Key Usage OIDs; Certificate Transparency entries are available in the Certificates Manager. Expiration alerts are sent by default 15 days before a certificate expires, giving your team time to renew before visitors see browser warnings. SSL check failures and expiration events can create tracked incidents through incident management, depending on your plan. If you manage several domains or subdomains, use the Certificates Manager to keep certificate health centralized.
The Certificates Manager periodically pulls Certificate Transparency logs for each domain you add and lists the certificates issued for it and its subdomains. For every certificate it shows the common name, the identity or SAN, the validity window, the issuer, and the serial number, so you have a running record of what has been issued in your name. Certificate Transparency is a public, append-only log that certificate authorities write to when they issue a certificate, which makes it possible to spot issuance you did not expect. This is different from SSL monitoring, which validates the certificate your own site actually serves; the Certificates Manager watches what exists in the public record. It is enabled automatically when SSL monitoring is active, and you can compare plan limits on the pricing page.
Yes, WebPixie checks SSL certificates daily and sends expiration warnings by default 15 days before renewal is due. SSL monitoring reads the certificate chain, verifies trust, checks the expiration date, and surfaces details such as issuer, subject names, TLS version, cipher suite, and OCSP and CRL endpoints. Early warning matters because an expired certificate can trigger browser security warnings, block customer trust, and make checkout, login, or form submission feel unsafe. If a certificate check fails or expiration reaches an alert threshold, WebPixie can notify your team and, on supported plans, create an incident through incident management. Teams with several domains or subdomains can use the Certificates Manager to keep certificate status visible in one place.
Yes. Because the Certificates Manager reads Certificate Transparency logs, it surfaces certificates issued for your domain and subdomains even when they were not requested through your own process. An unexpected certificate can signal a misconfiguration or an unauthorized issuance, and seeing it in the log is the first step to acting on it, so you can tell a legitimate renewal from something that warrants review. The same data set powers subdomain discovery: subdomains found in Certificate Transparency logs and in your main certificate's SANs are listed with an action to start monitoring each one. WebPixie reports what the public record shows; it does not issue, renew, or revoke certificates, which stays with your certificate authority. This complements the per-site checks in SSL monitoring, and you can compare plan limits on the pricing page.
Ready to see every certificate?
Free plan, no credit card. Certificate Transparency log inventory across all domains.