Skip to main content
SC-081v3 is now in effect

SSL certificates are about to expire 8x faster. Are you ready?

New CA/Browser Forum rules are slashing certificate lifetimes from 398 days to just 47 days. CertShield discovers and monitors every cert across your infrastructure—so nothing expires on your watch.

Learn about SC-081v3

The Certificate Crisis is Here

CA/Browser Forum Ballot SC-081v3, approved April 2025, mandates dramatically shorter TLS certificate lifetimes. The first deadline has passed. Manual renewal processes are already under strain—and it only gets harder from here.

March 15, 2026 — Now Active

Max 200 Days

Renewals have shifted from annual to every ~6 months. Existing workflows are already under strain.

March 15, 2027

Max 100 Days

Quarterly renewals. Spreadsheets and calendar reminders won't cut it anymore.

March 15, 2029

Max 47 Days

Near-monthly renewals. Automation is no longer optional—it's mandatory for every organization.

Organizations that rely on manual certificate renewal will face exponential workload growth as validity periods shrink. Automation becomes the only viable path.

Industry consensus on SC-081v3 impact

With 47-day maximums by 2029, certificate management moves from a periodic task to critical infrastructure that must run continuously and reliably.

On the operational impact of shorter lifetimes

Major CAs including DigiCert and Sectigo have publicly endorsed the shift, urging customers to adopt automated certificate lifecycle management now.

CA industry response to SC-081v3

This Isn't Hypothetical

Expired public-facing certificates have taken down some of the world's largest platforms. Every one of these outages was preventable with basic certificate monitoring.

Spotify Aug 2020

A wildcard TLS certificate expired, knocking out streaming and web APIs globally for about an hour. The expired cert was independently discovered via public Certificate Transparency logs.

Read more →
Microsoft Teams Feb 2020

An expired TLS certificate on the authentication endpoint locked out roughly 20 million users for three hours during peak business hours.

Read more →
LinkedIn 2017 & 2019

Expired certificates on the lnkd.in short-link domain and country-specific subdomains left users unable to follow links or access local sites—twice.

Read more →
Google Voice Feb 2021

An expired TLS certificate on the public SIP frontend caused a global outage lasting over four hours. All inbound and outbound calls failed.

Read more →

One Dashboard. Every Certificate. Total Visibility.

Three steps to never worry about certificate expiry again.

Discover

Scan your domains and CT logs. Find every certificate across every provider—including ones you didn't know about. See what's expiring, what's expired, and what shouldn't exist.

Monitor

Slack and email alerts before anything expires. Configurable thresholds at 30, 14, 7, and 1 day. Never miss a renewal.

Automate

ACME-powered renewal for Let's Encrypt certificates via DNS-01 challenges. Supports Cloudflare, Route53, and Hetzner DNS.

Coming soon

What We're Building

Purpose-built for teams that manage certificates across multiple providers, platforms, and environments.

Certificate Discovery

Scans your domains via TLS handshake inspection and Certificate Transparency logs. Finds every certificate across every provider—including ones you didn't know existed. Pulls expiration dates, issuer details, SANs, and chain validity automatically.

CT Log Monitoring

Continuously monitors public Certificate Transparency logs for your domains. Detects certificates issued by any CA—catching unauthorized issuance, shadow IT, and forgotten subdomains before they become a problem.

Inventory Dashboard

A sortable, filterable view of every certificate you manage. Color-coded status indicators, full-text search across domains and SANs, and instant visibility into your security posture.

Smart Alerting

Configurable alert thresholds at 30, 14, 7, and 1 day before expiry. Deliver to Slack or email. Choose daily digest or per-certificate alerts. Snooze support for planned renewals.

Multi-Provider Support

Monitors certificates from any CA—Let's Encrypt, DigiCert, Sectigo, AWS ACM, and more. You're never locked into a single provider or cloud platform.

ACME Automation

Automated renewal for Let's Encrypt certificates via DNS-01 challenges. Supports Cloudflare, Route53, and Hetzner DNS APIs with one-click or fully automatic modes.

Coming soon

Compliance Reports

Export PDF reports of your certificate inventory, renewal history, and alert logs. Designed to support SOC 2 evidence requirements. Prove to auditors that your certificates are managed and monitored.

Coming soon

Built for Teams Like Yours

CertShield is designed for the people who actually manage certificates day to day.

DevOps Teams

Managing certs across AWS, GCP, and bare metal. You need one view across all your infrastructure, not five different dashboards.

IT Managers

Juggling certificates for dozens of client sites at your agency. Keep every client's certs tracked and renewed without the spreadsheet chaos.

SREs

You need compliance evidence and can't justify a $10K/yr enterprise tool. CertShield gives you audit-ready reports at a price that makes sense.

Free During Early Access

Get full access to CertShield while we build it together. No credit card. No commitment.

Early Access
Free

All features included · No limits during early access

  • Certificate scanning & discovery
  • CT log monitoring
  • Expiration alerts (Slack + email)
  • Multi-cloud discovery
  • Compliance reports
  • Webhooks & API access
  • Team management
Start Free

Paid plans will be introduced later as the product matures.

CertShield vs. the Alternatives

The right balance of power, simplicity, and price.

Feature CertShield certbot (DIY) Enterprise CLM Cloud-Native (ACM)
Multi-provider inventory
CT log monitoring
Automated renewal Coming soon Partial Partial
Expiration alerting Partial Limited
Compliance reports
Self-serve setup CLI only
Price Free Free $5K-50K+/yr Free*

* Cloud-native tools are free but lock you into a single platform.

Frequently Asked Questions

What is SC-081v3 and why should I care?

SC-081v3 is a CA/Browser Forum ballot approved in April 2025 that mandates shorter TLS certificate lifetimes. By March 2026, max validity drops to 200 days. By 2029, it drops to just 47 days. This means certificates that used to last a year will need renewal almost monthly. Without automation, managing this is unsustainable.

How does CertShield discover my certificates?

CertShield uses two methods: TLS handshake inspection (connecting to your hosts and reading the certificate chain) and Certificate Transparency log monitoring (scanning public CT logs to find every certificate ever issued for your domains). This catches certificates you didn't know about—forgotten subdomains, shadow IT, wildcard certs from other teams. No agents to install on your servers.

Which certificate authorities do you support?

CertShield monitors certificates from any CA—Let's Encrypt, DigiCert, Sectigo, AWS ACM, and any CA that issues standard X.509 certificates. If it's a public TLS cert, we can discover and track it regardless of who issued it.

Will CertShield automatically renew my certificates?

Not yet—CertShield launches as a monitoring tool first. Automated renewal for Let's Encrypt certificates (via ACME DNS-01 challenges) is coming soon. We're building it with support for Cloudflare, Route53, and Hetzner DNS. Renewal for other CAs like DigiCert or Sectigo is not currently planned, as those require vendor-specific workflows.

How is this different from certbot?

Certbot is a great tool for renewing a single certificate on a single server. CertShield gives you a centralized dashboard across your entire infrastructure, proactive alerting before expiry, compliance reporting, multi-provider support, and team collaboration. If you manage more than a handful of certificates, you've outgrown certbot.

Will my data be secure?

Security is foundational to CertShield. We will never handle your private keys—we only read public certificate data via standard TLS connections. All data will be encrypted in transit and at rest, and we plan to pursue SOC 2 Type II compliance.

Why isn't AWS ACM or Cloudflare enough?

ACM and Cloudflare auto-renew certificates they issue on their own platforms—but they don't cover certificates from other providers, other clouds, or bare metal. ACM won't renew imported certs. Cloudflare only manages edge certs for proxied domains. Neither monitors CT logs, alerts you before expiry across providers, or generates compliance reports. If your infrastructure spans more than one platform, you have blind spots.

When will CertShield be available?

We're in early access now, with the first SC-081v3 deadline already active. Join the waitlist to get access and help shape the product.

Is CertShield really free?

Yes. CertShield is completely free during early access with no feature restrictions. We want to build the best certificate monitoring tool possible, and your feedback is more valuable than a subscription right now. Paid plans will be introduced later as the product matures.

The 200-Day Limit is Active. 100 Days is Next.

The first SC-081v3 deadline has passed. The next one—100-day maximum validity—hits in March 2027. Don't wait until certificates start failing.

No credit card required. Free during early access.