CERTHOUND

‹ All articles

CertHound Agent: Open-Source Certificate Discovery for Every Server

Today we're releasing certhound-agent — a free, open-source tool that discovers every SSL/TLS certificate on your server in seconds. One binary, zero dependencies, runs anywhere.

Why We Built This

Before you can monitor certificates, before you can auto-renew them, before you can do anything useful — you need to know what you have. That sounds obvious, but it's the step most teams skip. Certificates get installed by different people at different times across different servers, and before long, nobody has a complete picture.

We built the CertHound agent to solve that first problem: discovery. It's the foundation everything else builds on, and we're releasing it as free, open-source software.

What It Does

The certhound-agent is a single static binary that scans a server for all SSL/TLS certificates and outputs a structured report. Here's what it covers:

• Filesystem scanning: Walks standard certificate paths (/etc/ssl, /etc/pki, and custom directories) looking for PEM-encoded certificates.
• Windows Certificate Store: Reads directly from the Windows cert store via native APIs — no OpenSSL required.
• Metadata extraction: Collects subject, issuer, SANs, serial number, expiration date, and SHA-256 fingerprint for every certificate found.
• Expiration flagging: Certificates within your configured threshold are flagged as expiring so they surface immediately.

What It Doesn't Do

The agent never reads, collects, or transmits private keys. It only handles certificate metadata. It doesn't require root access for filesystem scanning (though it finds more certs with it), and it doesn't phone home unless you explicitly point it at a CertHound dashboard endpoint.

How to Get Started

Download the binary for your platform, put it on your server, and run it:

1. Download the agent from GitHub for your OS and architecture.
2. Run it — no installation, no dependencies, no configuration required.
3. Get a full certificate inventory in JSON or human-readable table format.

That's it. The entire process takes under 5 minutes, and you'll have a complete picture of every certificate on the machine.

Platform Support

At launch, we're targeting the two platforms where the vast majority of TLS certificates live:

• Windows (amd64) — Certificate Store and filesystem scanning.
• Linux (amd64 and arm64) — filesystem PEM scanning across standard and custom paths.

Next on the roadmap: macOS with Keychain integration, FreeBSD, container environments (Kubernetes, Docker), and network appliance discovery for devices like F5 BIG-IP, Citrix ADC, and NGINX reverse proxies.

Free Forever, Open Source Always

The certhound-agent is released under a permissive open-source license and will stay free. It's useful on its own as a standalone discovery tool. When you're ready for centralized monitoring, alerting, and (soon) auto-renewal across your full fleet, the CertHound platform is there — but the agent stands on its own.

We believe the best way to earn trust in the security space is to let you try the product before you buy anything. The agent is our handshake.

Ready to take control of your certificates?

Try the open-source agent free. No credit card, no lock-in.

Get the agent