Documentation
Quick Start
Get monitoring in three steps. You'll need an Azure App Registration with the right permissions — the Azure App Setup section walks you through creating one.
- Create your account — sign up at getcerty.com/signup. You'll be prompted to set up two-factor authentication (TOTP) before your first login.
- Add an Azure Tenant — go to Tenants → Add Tenant and enter your Azure Tenant ID, Client ID, and Client Secret. Give it a name (e.g. "Contoso Production").
- Run your first check — click Check Now on the tenant card. Results appear on the Dashboard within seconds, grouped by severity.
Azure App Registration Setup
Certy uses a service principal (App Registration) in your Azure AD to read certificate and secret metadata. It never writes to Azure — only reads. For the full picture of what Certy can and cannot see, read the security page.
Required permission
One Microsoft Graph application permission is required:
Application.Read.All— reads App Registrations and Enterprise Apps (application permission, not delegated)
Step-by-step
- In the Azure Portal, go to Azure Active Directory → App registrations → New registration. Name it something like Certy Monitor. Leave the redirect URI blank. Click Register.
-
Go to API permissions → Add a permission → Microsoft Graph → Application permissions.
Search for
Application.Read.All, tick it, and click Add permissions. - Click Grant admin consent for [your org] and confirm. The permission status should show a green tick.
- Go to Certificates & secrets → Client secrets → New client secret. Set an expiry (12 or 24 months). Click Add. Copy the secret Value immediately — it won't be shown again.
-
From the App Registration Overview tab, copy:
- Application (client) ID → paste as Client ID in Certy
- Directory (tenant) ID → paste as Azure Tenant ID in Certy
What Gets Monitored
On each scheduled check, Certy scans these resource types in your Azure AD, plus any Azure Key Vaults you connect (see Azure Key Vault):
App Registrations
- Client secrets (
passwordCredentials) — the secrets used to authenticate your apps - Certificates (
keyCredentials) — uploaded public certificates used for authentication
Enterprise Applications
- Client secrets and certificates — same as above, on the service principal side
- SAML signing certificates — the token-signing cert used by SAML SSO apps; flagged separately as Enterprise App – SAML Certificate
Severity levels
| Severity | Meaning | Default threshold |
|---|---|---|
| expired | Already past expiry date | — |
| critical | Expiring very soon | ≤ 7 days |
| warning | Expiring soon | ≤ 30 days |
| info | Expiring within your warning window (e.g. 8–30 days on default settings) | ≤ warning threshold |
Thresholds are configurable per tenant under Tenants → Edit. Items beyond the warning threshold are not shown in results.
Check frequency
- Pro — once daily, at the time you configure in Settings
- Business — as often as hourly
You can always trigger an immediate check with the Check Now button on any tenant.
Azure Key Vault
Certy monitors the expiry of certificates stored in your Azure Key Vaults — the SSL, code-signing, and other X.509 certs teams keep there. Key Vault secrets and keys are not monitored (they often have no expiry set); certificates always do.
1. Find your vault URL
In the Azure portal, open your Key Vault → Overview → copy the Vault URI (it looks like https://myvault.vault.azure.net).
2. Grant access to Certy's app registration
Certy uses the same app registration you set up for this tenant (see Azure App Setup). Give it read access to the vault's certificates one of two ways:
- RBAC (recommended): Key Vault → Access control (IAM) → Add role assignment → assign
Key Vault Certificate Userto your app registration. - Legacy access policies: Key Vault → Access policies → add a policy for your app registration with certificate List and Get permissions.
3. Add the vault in Certy
Go to Settings → Tenants → Edit, scroll to Azure Key Vaults, enter a friendly name and the vault URL, and click Add. Certificates from that vault will appear in the next check, tagged Key Vault – Certificate, using the same severity thresholds as everything else.
Notifications
Email alerts
Configure your SMTP settings in Settings → Notifications. You can use any SMTP provider (Gmail, Outlook, Resend, SendGrid, etc.).
Per-user preferences let you choose which severity levels trigger an email:
- Expired — items that have already expired
- Critical — expiring within your critical threshold
- Warning — expiring within your warning threshold
- Daily digest — a single summary email once per day listing all expiring items
- Weekly digest — a Monday morning summary of everything expiring in the next 30 days, across all tenants
Webhooks
Go to Settings → Webhooks → Add Webhook. Supported targets:
- Microsoft Teams — paste an Incoming Webhook URL from your Teams channel connector
- Slack — paste a Slack Incoming Webhook URL
- Discord — paste a channel webhook URL (Server Settings → Integrations → Webhooks)
- PagerDuty — paste your PagerDuty Events API v2 integration key
- Generic HTTP — any URL; payload is JSON with all expiring items. Optionally configure an HMAC secret for signature verification.
Webhooks fire on each scheduled check. The payload includes tenant name, check timestamp, and the full list of expiring/expired items with their severity.
Users & Access
Roles
- Admin — full access: manage tenants, users, webhooks, notifications, billing, and settings
- Viewer — read-only access to the Dashboard and History; cannot modify any settings
Inviting users
Go to Settings → Users → Invite User. Enter their email and choose a role. They'll receive an invitation email with a link to set up their account and TOTP.
Viewer tenant restrictions
By default, viewers can see all tenants in your organisation. You can restrict a viewer to specific tenants under Settings → Users → Edit. This is useful for MSPs sharing a Certy account across multiple clients.
Multi-factor authentication
MFA is mandatory for all password-based accounts. During signup or first login you'll be prompted to scan a QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.). This cannot be disabled.
If a user loses access to their authenticator, an org admin can reset their MFA enrollment under Settings → Users → Reset 2FA. The user will re-enroll on their next login.
API Access Business
The Certy REST API lets you integrate monitoring results into your own tools and dashboards. API access requires a Business plan.
Creating an API key
- Go to Settings → API Keys → Create Key.
- Give the key a name (e.g. "Grafana integration"). The full key value is shown once — copy it now.
- Use the key in the
X-API-Keyrequest header.
Authentication
GET /api/v1/results
X-API-Key: acm_your_key_here
Key endpoints
GET /api/v1/results— all current expiring items across all tenantsGET /api/v1/tenants— list of your configured tenants and their last-check status
Full API reference is available at /api-docs (Swagger UI).
Plans & Billing
| Feature | Pro — $19/mo | Business — $49/mo |
|---|---|---|
| Azure tenants | 5 | Unlimited |
| Users | 5 | Unlimited |
| Check frequency | Daily | Hourly |
| Webhooks & email alerts | ✓ | ✓ |
| History & CSV export | ✓ | ✓ |
| REST API access | — | ✓ |
Trial
All new accounts start with a 14-day free trial on the Pro plan. No credit card required. At the end of your trial you'll be prompted to subscribe to continue.
Upgrading
Go to Settings → Billing → Upgrade to Business to switch plans instantly. Billing is prorated.
Cancellation
You can cancel at any time from Settings → Billing. Access continues until the end of your current billing period.