CertHound – open-source SSL/TLS certificate discovery and auto-renewal agent

CertHound Agent SSL/TLS certificate inventory and auto-renewal for your servers. A small, single-binary Go agent that finds every certificate on a host — on disk and inside the Windows certificate store — reports their status, and (optionally) renews them via Let's Encrypt before they expire. Cross-platform, no runtime dependencies, no daemon to install besides the agent itself. Use it standalone for local cert scanning, or pair it with the CertHound dashboard for centralized monitoring across your fleet. ┌──────────────────────┐ Filesystem ──────┐ │ │ │ │ CertHound Agent │ Windows Store ───┼──────►│ (this repo) │──── HTTPS ───┐ │ │ │ │ Live endpoints ──┘ └──────────────────────┘ │ │ ▼ │ ┌──────────────────────┐ └─ ACME ──────►│ Let's Encrypt │ └──────────────────────┘ │ ┌──────────────────────┐ │ CertHound Dashboard │ │ app.certhound.dev │ │ (optional, managed) │ └──────────────────────┘ Features Cross-platform — Linux (amd64/arm64), macOS, Windows (amd64). Single static binary. Filesystem scanning — recursively walks configured directories for PEM/CRT/DER certificates. Windows certificate store — enumerates Current User and Local Machine stores (MY, ROOT, CA, TrustedPeople, TrustedPublisher). ACME auto-renewal — issues and renews Let's Encrypt certificates via HTTP-01 webroot challenge. Windows cert-store import — renewed certs can be imported directly into LocalMachine\MY or CurrentUser\MY via CryptoAPI; no PEM-on-disk required. Watch mode — daily full scans, hourly heartbeats, and immediate scans triggered by fsnotify cert-file changes. Auto-update — agent self-updates from GitHub Releases with SHA-256 checksum verification and automatic rollback on failure. Detailed extraction — SHA-256 fingerprints, SANs (DNS, IP, URI, email), key/extended key usage, OCSP/CRL/AIA URLs, signature algorithm, key bits, NotBefore/NotAfter. Install Linux / macOS curl -sSL https://raw.githubusercontent.com/deadbolthq/certhound-agent/main/scripts/install.sh | \ sudo bash -s -- --key ch_yourkey --endpoint https://api.certhound.dev/ingest For standalone (local-only, no dashboard) install, omit --key and --endpoint: curl -sSL https://raw.githubusercontent.com/deadbolthq/certhound-agent/main/scripts/install.sh | sudo bash Windows The recommended path is the GUI installer — download, run as Administrator, paste your key. For PowerShell (run as Administrator): iwr https://raw.githubusercontent.com/deadbolthq/certhound-agent/main/scripts/install.ps1 -OutFile install.ps1 -UseBasicParsing .\install.ps1 -Key "ch_yourkey" -Endpoint "https://api.certhound.dev/ingest" For standalone (no dashboard), drop the -Key and -Endpoint arguments. From source git clone https://github.com/deadbolthq/certhound-agent.git cd certhound-agent go build -o certhound-agent ./cmd/agent Usage # One-shot scan, table output to console certhound-agent # Scan specific directories certhound-agent /etc/letsencrypt/live /etc/ssl/certs # JSON to stdout (for piping into jq, etc.) certhound-agent --json /etc/ssl/certs # Continuous watch mode reporting to a dashboard certhound-agent --watch --endpoint https://api.certhound.dev/ingest # Custom config file certhound-agent --config /etc/certhound/config.json --watch # Override expiry threshold to flag certs within 14 days of expiry certhound-agent --threshold 14 Configuration The agent loads config from (in priority order): --config flag Auto-discovered file at /etc/certhound/config.json (Linux/macOS) or C:\ProgramData\CertHound\config.json (Windows)…

This excerpt is published under fair use for community discussion. Read the full article at GitHub.