CertGuard User Guide

SSL certificate and domain registration expiry monitoring with configurable alert thresholds.

1. Enable CertGuard in the Products page

2. Navigate to certs.microgemlabs.ai

3. Click + Add Domain and enter your hostname

4. CertGuard immediately checks the SSL certificate and domain registration

SSL/TLS Certificates

CertGuard connects to your domain via TLS, inspects the certificate, and tracks:

• Validity — Is the certificate currently valid and trusted?
• Days until expiry — Countdown to certificate expiration
• Issuer — Certificate authority (Let's Encrypt, DigiCert, etc.)
• Subject — Domain the certificate covers (including wildcards)
• Protocol — TLS version in use (TLSv1.2, TLSv1.3)
• Valid from/to — Certificate validity period

Domain Registration (WHOIS)

CertGuard queries the RDAP (Registration Data Access Protocol) API to check:

• Registration expiry date — When the domain registration expires
• Days until expiry — Countdown
• Registrar — Domain registrar (Cloudflare, GoDaddy, Namecheap, etc.)

RDAP is the modern replacement for raw WHOIS and provides structured JSON responses. Some TLDs may not support RDAP — CertGuard will note this and you can add the expiry date manually.

CertGuard alerts at configurable day thresholds before expiry. Defaults:

This means you get your first warning 30 days before the cert expires, with increasing urgency as the deadline approaches. The day-0 alert fires when the certificate has actually expired.

Domain registration alerts start earlier because domain renewals often take longer to process.

• Conservative: 60,30,14,7,3,1,0
• Minimal: 7,1,0

CertGuard maps days-remaining to severity:

The domains list is sorted by urgency — the domain with the fewest days remaining appears first. Each card shows:

• Status badge with color coding
• Hostname and port
• Certificate issuer and TLS protocol
• Days until cert expiry (large, color-coded number)
• Days until domain registration expiry
• Time since last check
• Active incident banner (if any)

Click any domain to see:

Click the Check Now button on any domain's detail page to trigger an immediate SSL and WHOIS check. Results appear within a few seconds. This is useful after renewing a certificate to verify the new cert is live.

CertGuard runs a comprehensive check of all domains daily at 6:00 AM UTC. On-demand checks can be triggered anytime via the dashboard.

Certificate expiry alerts route through your team's shared escalation policy. An expiring certificate at 3 AM triggers SMS and voice calls to whoever is on call — the same on-call system used by PulseGuardPlus, CronKeeper, LogVault, CronRunner, and HookRelay.

When CertGuard's daily check finds that a previously-expiring certificate has been renewed (days remaining increased), it automatically resolves the active incident and linked on-call alert. No manual action needed.

Suppress CertGuard alerts during planned certificate migrations or domain transfers by creating a maintenance window (Ops → Maintenance). Daily checks continue running, but expiry alerts won't create incidents or trigger on-call. Scope suppression to CertGuard as a product or to a specific domain.

Define automated responses to certificate expiry (Skills → Runbook (/agent/skills?type=runbook)). Example: create a "Trigger Cert Renewal" template that POSTs to your cert-manager webhook when CertGuard detects a certificate expiring within 7 days. Set the trust level to auto-approval so MicroGemAI triggers the renewal and your on-call engineer approves via Slack or Telegram.

When cert incidents resolve (e.g., an expired certificate is renewed), MicroGemAI auto-generates a postmortem with what expired, when, how long the outage lasted, what other services were affected (cross-product correlation), and action items to prevent recurrence. Review and publish at Ops → Postmortems.