LúminaKite
Certificate lifecycle

SSL/TLS certificate monitoring

Expired certificates still create high-visibility incidents. LuminaKite checks the certificate presented by each monitored hostname, tracks the evidence that matters, and routes alerts before renewal windows become outages.

Operational outcomes

SSL/TLS

  • Reduce certificate-related downtime with configurable renewal windows.
  • Detect issuer, serial, fingerprint and certificate-chain changes.
  • Track weak TLS protocol support, weak ciphers, HSTS, OCSP, CRL and CAA evidence.
  • Keep SAN and wildcard coverage aligned with the hostnames your teams operate.

Core capabilities

Expiration windows
Create warning windows such as 7, 14, 30, 60 or 90 days so owners have time to renew, validate and deploy certificates.
Certificate change detection
Compare issuer, subject, serial number, SHA-256 fingerprint, validation level and chain fingerprints between checks.
Hostname coverage
Validate common name and Subject Alternative Name coverage, including wildcard behavior and IDNA-normalized hostnames.
Advanced TLS posture
Collect protocol support, cipher details, weak protocol exposure, SNI behavior, HSTS, CAA, OCSP and CRL status when advanced checks are enabled.
Evidence history
Store structured domain checks and events so responders can see what changed, when it changed and which alert rule fired.

How the module works

1

Add monitored hostnames

Register production domains, ports and expected certificate validation level for the surfaces your team owns.

2

Run scheduled checks

LuminaKite connects to each endpoint, parses the presented certificate and records transport evidence.

3

Compare against policy

The platform evaluates expiration windows, chain changes, TLS posture and owner preferences.

4

Route alerts

Relevant events are delivered through email, webhooks or team chat channels according to the active plan.

Signals and evidence

not_before and not_after dates
issuer, subject, serial and SHA-256 fingerprint
SAN, wildcard and hostname coverage
TLS version, cipher and handshake latency
HSTS, CAA, OCSP and CRL evidence

Common use cases

Prevent public outages

Alert application owners before a certificate expires on a customer-facing hostname.

Detect unexpected certificate rotation

Investigate sudden issuer, fingerprint or chain changes that were not part of a planned deployment.

Support compliance reviews

Export certificate and TLS posture evidence for infrastructure audits and renewal governance.

Frequently asked questions

Does LuminaKite need private keys?

No. The module inspects public certificate and transport metadata from the endpoint. It does not require private keys or internal access.

Can it monitor non-standard ports?

Yes. Domains can be monitored with a port, which is useful for APIs, admin panels and services that expose TLS outside port 443.

What happens when the certificate changes?

LuminaKite records the new evidence and can generate an event when issuer, chain, fingerprint or validation details differ from prior checks.

Can the module check revocation?

Advanced checks collect OCSP and CRL evidence when the issuing certificate exposes those endpoints.

Related modules