Back to Cookbook

Cert Sentry

Never get woken up at 3 AM for an expired certificate again

Scans your infrastructure for TLS certificates approaching expiry — endpoints, Kubernetes secrets, AWS ACM, and cert-manager resources. Generates a dashboard of certificate health and alerts before anything expires.

House RecipeWork3 min

INGREDIENTS

💬Slack✈️Telegram

PROMPT

Create a skill called "Cert Sentry". Monitor TLS certificates across my infrastructure: 1. For a list of domains/endpoints: connect with `openssl s_client` and extract cert details (issuer, subject, expiry, SANs) 2. In Kubernetes: list cert-manager Certificate resources and TLS secrets, check their status and expiry 3. In AWS: `aws acm list-certificates` and inspect associations plus renewal eligibility/status 4. Build an inventory sorted by expiry date (soonest first) Flag certificates by urgency: - CRITICAL: expires within 7 days - WARNING: expires within 30 days - OK: expires in 30+ days For each CRITICAL/WARNING cert, suggest the renewal path (auto-renew via cert-manager, ACM renewal, manual renewal with Let's Encrypt, etc.). Run `openssl s_client -connect` for endpoint checks. Output as a clean summary I can share with the team.

How It Works

Certificate expiry has taken down Microsoft Teams, Spotify, and countless

smaller services. This skill monitors all your certs so you find out weeks

before expiry, not during the outage.

What You Get

  • Endpoint scan: checks TLS certificates on all your domains and ports
  • Kubernetes: audits cert-manager certificates and TLS secrets
  • AWS ACM: lists certificates, associations, and renewal eligibility/status
  • Expiry timeline: sorted by days until expiration
  • Alerts for certificates expiring within 30/14/7 days
  • Renewal automation: Let's Encrypt setup, cert-manager configs

Setup Steps

  1. Provide a list of domains/endpoints to monitor (or let it discover from K8s Ingresses)
  2. Run the scan to get a baseline certificate inventory
  3. Set up a weekly or daily schedule for ongoing monitoring
  4. Configure alerts to Slack or Telegram for upcoming expirations

Tips

  • Don't just check web endpoints — internal services, databases, and message brokers have certs too
  • cert-manager in Kubernetes handles renewal automatically, but only if it's configured correctly
  • AWS ACM auto-renews only for eligible certificates that are correctly attached/in use
  • Run as a daily cron to catch new certificates added outside your normal process
Tags:#security#certificates#monitoring#devops