I'm aware one of the replacements you recommended for certificate expiration notification was red sift. But why are their expiry dates so far off. They have 19 of my certificates expiring in 6 days when in reality all of them are valid until 5-2025? How can you recommend such a service?
Welcome! 
I suspect the explanations here may help:
2 Likes
When using the free "Lite" plan, RedSift is ultimately just pulling data from certificate transparency logs. It's not actually looking at the certificates on your running site. So the accuracy of the monitoring is only going to be as good as the data they can get. Some of the most common CT indexers have spotty reliability, but I have no clue where they pull their data from.
That said, I hadn't touched RedSift before tonight. So I signed up and added one of my own domains. The "Upcoming Expiring Certificates" view is a bit misleading.
It reported two certs expiring in 21 days. So I clicked on that little bubble. First problem, the two certs were actually the same cert, but one was the precertificate for the other. It's annoying that they don't filter out precertificate data by default, but not technically wrong. The expiration dates were correct for those specific certs as well. The misleading part is that the cert had already been renewed. So why did RedSift report it as expiring? I mean, they are still valid and they will be expiring soon. But it wouldn't be a very useful service if you get notified about certs you've already replaced. Even LE was able to distinguish that as long as you didn't alter your SAN list between renewals.
I browsed to the larger "Expiring Certificates" view which claims:
By default, certificates that have been superseded by newer certificates are not displayed.
Both of the old certs were listed as not superseded plus another one that was the newer renewed version. But only 1 copy. The one copy was the precertificate and the real leaf certificate was missing. Coincidentally (or not if they're getting data from the same place), the real leaf cert is also missing from crt.sh as well. Maybe they only mark a cert as superseded when the real leaf cert gets added?
I did have a different set of certs that contained both pre/leaf copies of the newest cert and both copies of the previous cert and the previous ones had been marked as superseded.
So ultimately, I'm guessing your issue @KevDog is that RedSift hasn't pulled the new cert data for your 19 certificates or it only has precertificate data for whatever reason. It should be easy enough to check from the Expiring Certificates page. Unfortunately, there's no way to filter out precertificate data from that page, but the cert details page does show a label on precerts that looks like this:
Here is their KB article on cert ingestion and alerts:
3 Likes
Honestly I didn't have any precertificates however I had the same certificate listed like multiple times -- which is very very annoying. If I applied a filter on the expiring certificates page and the filter was 'Superseded is false', then the huge list was filtered to contain the most recent certificate with the accurate expiration date. Now I know the default as you wrote it, but I'm not sure what was happending since my filter produced 68 certificate records and without the filter I had 130 records. It's all very confusing. I'm not saying the information presented is inaccurate however it just seems very convoluted.
That shouldn't concern you, precertificates are an artifact of certificate transparency. AFAIK they exist because browsers want certificates to include SCTs, but you can't have an SCT without submitting the (pre)certificate to a CT log.
1 Like
As an aside I noticed crt.sh was down a lot recently (for me) and Censys CT search is also going away according to an email from them. Not sure what the best options are going forward for simple cert issuance searches.
2 Likes
crt.sh is struggling, yeah. They moved it to a different DC to get better performance, but so far I can't see much improvement. Where did you see that censys certificate search is going away? I can't find anything on that.
The "new kid in town" regarding CT search is Merklemap. Search is pretty snappy from my tests, though loading certs takes a moment. Not all the features they have are free though, there's a subscription model behind the API stuff (similar to censys).
5 Likes
I believe just the "legacy" search system is being replaced with a new and improved one. I haven't yet moved my workflow to the new system but a quick test looked nice.
A snip from my second notice about that
Time is running out! On March 31, 2025, Censys Search will be officially retired. To ensure seamless access to your data and avoid disruptions, you need to move your workflows to the new Censys Platform today.
The Censys Platform is faster, smarter, and built for the future, offering:
• CenQL – Our new, intuitive query language that simplifies searches
• A refined data schema for better organization and faster threat response
• A Query Converter to instantly migrate your old queriesDon’t wait until the last minute! Convert your queries now and experience a better, more powerful way to search. Switch Today to Avoid Disruptions
6 Likes