Skip to content

Validators Overview

CertMonitor provides a modular validator system to check various aspects of SSL/TLS certificates and connections. Each validator can be enabled or disabled as needed, and some accept additional arguments for fine-grained control.

Available validators:

  • Expiration: Checks if the certificate is expired or expiring soon.
  • Hostname: Validates that the certificate matches the expected hostname.
  • SubjectAltNames: Checks the Subject Alternative Names (SANs) extension.
  • RootCertificate: Checks if the certificate is issued by a trusted root CA.
  • KeyInfo: Validates the public key type and strength.
  • TLSVersion: Validates the negotiated TLS version.
  • WeakCipher: Validates that the negotiated cipher suite is in the allowed list.
  • SensitiveDate: Validates that the certificate doesn't expire on built-in or user specified sensitive dates.
  • Chain: Inspects the full TLS certificate chain for structural problems (missing intermediates, out-of-order, expired members). Opt-in; requires Python 3.10+.

See each page for usage and output examples.