Documentation

Everything you need to set up and use Certy.

Quick Start

Get monitoring in three steps. You'll need an Azure App Registration with the right permissions — the Azure App Setup section walks you through creating one.

  1. Create your account — sign up at getcerty.com/signup. You'll be prompted to set up two-factor authentication (TOTP) before your first login.
  2. Add an Azure Tenant — go to Tenants → Add Tenant and enter your Azure Tenant ID, Client ID, and Client Secret. Give it a name (e.g. "Contoso Production").
  3. Run your first check — click Check Now on the tenant card. Results appear on the Dashboard within seconds, grouped by severity.
ℹ️ Your 14-day free trial starts automatically. No credit card required.

Azure App Registration Setup

Certy uses a service principal (App Registration) in your Azure AD to read certificate and secret metadata. It never writes to Azure — only reads. For the full picture of what Certy can and cannot see, read the security page.

Required permission

One Microsoft Graph application permission is required:

  • Application.Read.All — reads App Registrations and Enterprise Apps (application permission, not delegated)

Step-by-step

  1. In the Azure Portal, go to Azure Active Directory → App registrations → New registration. Name it something like Certy Monitor. Leave the redirect URI blank. Click Register.
  2. Go to API permissions → Add a permission → Microsoft Graph → Application permissions. Search for Application.Read.All, tick it, and click Add permissions.
  3. Click Grant admin consent for [your org] and confirm. The permission status should show a green tick.
  4. Go to Certificates & secrets → Client secrets → New client secret. Set an expiry (12 or 24 months). Click Add. Copy the secret Value immediately — it won't be shown again.
  5. From the App Registration Overview tab, copy:
    • Application (client) ID → paste as Client ID in Certy
    • Directory (tenant) ID → paste as Azure Tenant ID in Certy
    The secret value you copied in step 4 is the Client Secret.
⚠️ The App Registration's own client secret will appear in Certy's monitoring results when it approaches expiry — this is expected and useful.

What Gets Monitored

On each scheduled check, Certy scans these resource types in your Azure AD, plus any Azure Key Vaults you connect (see Azure Key Vault):

App Registrations

  • Client secrets (passwordCredentials) — the secrets used to authenticate your apps
  • Certificates (keyCredentials) — uploaded public certificates used for authentication

Enterprise Applications

  • Client secrets and certificates — same as above, on the service principal side
  • SAML signing certificates — the token-signing cert used by SAML SSO apps; flagged separately as Enterprise App – SAML Certificate

Severity levels

SeverityMeaningDefault threshold
expiredAlready past expiry date
criticalExpiring very soon≤ 7 days
warningExpiring soon≤ 30 days
infoExpiring within your warning window (e.g. 8–30 days on default settings)≤ warning threshold

Thresholds are configurable per tenant under Tenants → Edit. Items beyond the warning threshold are not shown in results.

Check frequency

  • Pro — once daily, at the time you configure in Settings
  • Business — as often as hourly

You can always trigger an immediate check with the Check Now button on any tenant.

Azure Key Vault

Certy monitors the expiry of certificates stored in your Azure Key Vaults — the SSL, code-signing, and other X.509 certs teams keep there. Key Vault secrets and keys are not monitored (they often have no expiry set); certificates always do.

Your certificates stay yours. Certy reads only certificate metadata — the name and expiry date. It never reads or stores the certificate value or private key.

1. Find your vault URL

In the Azure portal, open your Key Vault → Overview → copy the Vault URI (it looks like https://myvault.vault.azure.net).

2. Grant access to Certy's app registration

Certy uses the same app registration you set up for this tenant (see Azure App Setup). Give it read access to the vault's certificates one of two ways:

  • RBAC (recommended): Key Vault → Access control (IAM)Add role assignment → assign Key Vault Certificate User to your app registration.
  • Legacy access policies: Key Vault → Access policies → add a policy for your app registration with certificate List and Get permissions.

3. Add the vault in Certy

Go to Settings → Tenants → Edit, scroll to Azure Key Vaults, enter a friendly name and the vault URL, and click Add. Certificates from that vault will appear in the next check, tagged Key Vault – Certificate, using the same severity thresholds as everything else.

Notifications

Email alerts

Configure your SMTP settings in Settings → Notifications. You can use any SMTP provider (Gmail, Outlook, Resend, SendGrid, etc.).

Per-user preferences let you choose which severity levels trigger an email:

  • Expired — items that have already expired
  • Critical — expiring within your critical threshold
  • Warning — expiring within your warning threshold
  • Daily digest — a single summary email once per day listing all expiring items
  • Weekly digest — a Monday morning summary of everything expiring in the next 30 days, across all tenants
ℹ️ The From address is your own SMTP username — emails come from your account, not from Certy's servers.

Webhooks

Go to Settings → Webhooks → Add Webhook. Supported targets:

  • Microsoft Teams — paste an Incoming Webhook URL from your Teams channel connector
  • Slack — paste a Slack Incoming Webhook URL
  • Discord — paste a channel webhook URL (Server Settings → Integrations → Webhooks)
  • PagerDuty — paste your PagerDuty Events API v2 integration key
  • Generic HTTP — any URL; payload is JSON with all expiring items. Optionally configure an HMAC secret for signature verification.

Webhooks fire on each scheduled check. The payload includes tenant name, check timestamp, and the full list of expiring/expired items with their severity.

Users & Access

Roles

  • Admin — full access: manage tenants, users, webhooks, notifications, billing, and settings
  • Viewer — read-only access to the Dashboard and History; cannot modify any settings

Inviting users

Go to Settings → Users → Invite User. Enter their email and choose a role. They'll receive an invitation email with a link to set up their account and TOTP.

Viewer tenant restrictions

By default, viewers can see all tenants in your organisation. You can restrict a viewer to specific tenants under Settings → Users → Edit. This is useful for MSPs sharing a Certy account across multiple clients.

Multi-factor authentication

MFA is mandatory for all password-based accounts. During signup or first login you'll be prompted to scan a QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.). This cannot be disabled.

If a user loses access to their authenticator, an org admin can reset their MFA enrollment under Settings → Users → Reset 2FA. The user will re-enroll on their next login.

API Access Business

The Certy REST API lets you integrate monitoring results into your own tools and dashboards. API access requires a Business plan.

Creating an API key

  1. Go to Settings → API Keys → Create Key.
  2. Give the key a name (e.g. "Grafana integration"). The full key value is shown once — copy it now.
  3. Use the key in the X-API-Key request header.

Authentication

GET /api/v1/results
X-API-Key: acm_your_key_here

Key endpoints

  • GET /api/v1/results — all current expiring items across all tenants
  • GET /api/v1/tenants — list of your configured tenants and their last-check status

Full API reference is available at /api-docs (Swagger UI).

ℹ️ API results respect the same tenant access rules as the UI — a key owned by a viewer with restricted tenants will only return data for those tenants.

Plans & Billing

FeaturePro — $19/moBusiness — $49/mo
Azure tenants5Unlimited
Users5Unlimited
Check frequencyDailyHourly
Webhooks & email alerts
History & CSV export
REST API access

Trial

All new accounts start with a 14-day free trial on the Pro plan. No credit card required. At the end of your trial you'll be prompted to subscribe to continue.

Upgrading

Go to Settings → Billing → Upgrade to Business to switch plans instantly. Billing is prorated.

Cancellation

You can cancel at any time from Settings → Billing. Access continues until the end of your current billing period.