SSLBoard as a Cert Spotter alternative
Cert Spotter, built by SSLMate, is a well-known name in Certificate Transparency monitoring. It watches CT logs for certificates issued against your domains and flags installation problems. Its founder helped shape the CT standard, so the product has deep CT expertise. If your main worry is mis-issuance or a botched cert install, it’s a solid pick.
Cert Spotter is a monitoring tool, not a TLS auditor. It tells you whether a certificate exists and is installed correctly. It doesn’t tell you whether the server behind it is still negotiating TLS 1.0, accepting RC4, or missing DNSSEC. That’s where SSLBoard comes in.
What is Cert Spotter?
Cert Spotter is a Certificate Transparency log monitor from SSLMate, the same company behind SSLMate’s certificate issuance service and its Certificate Search API. You add your domains, and it continuously watches CT logs for any certificate issued against them, authorized or not. If an unknown CA issues a cert for one of your hostnames, you get an alert. That matters if you’re worried about CA compromise, DNS tampering, BGP hijacking, or subdomain takeover.
Beyond mis-issuance detection, Cert Spotter runs certificate health checks against your endpoints: expiration, chain completeness, hostname match, OCSP stapling. It also monitors CAA records and MTA-STS policy for your mail domains, and it can discover new subdomains through DNS provider and registrar integrations on its higher tiers. Alerts go out by email, webhook, or Slack, and you can pre-approve known certificates and CAs to cut down on noise. SSLMate also publishes an open source, self-hosted version of the CT monitoring engine for teams that want to run it themselves.
Pricing starts at $15/month for the Hobbyist plan, covering 20 endpoints with hourly health checks and a single IPv4 and IPv6 address per endpoint. The Startup plan is $100/month for 150 endpoints, unlimited ports and IPs, and DNS discovery integrations. Business runs $500/month for 1,000 endpoints and checks every 5 minutes. There’s a 30 day free trial, but no permanent free tier.
Where Cert Spotter falls short
Cert Spotter does certificate monitoring well. It’s not built to answer questions about TLS configuration.
No TLS handshake analysis. Cert Spotter checks that a certificate is installed and valid. It doesn’t perform TLS handshakes to see which protocol versions your endpoints negotiate, which cipher suites they accept, or whether forward secrecy is in place. A server can pass every Cert Spotter check while still accepting TLS 1.0 or RC4.
No key strength or post-quantum analysis. There’s no breakdown of RSA versus ECC usage, key sizes, or whether an endpoint supports post-quantum key exchange like X25519Kyber768.
No posture score. Cert Spotter gives you a list of certificates, alerts, and health check results. It doesn’t roll any of that into a weighted score you can track over time or hand to someone asking “how’s our TLS?”
Endpoint-based pricing scales with your footprint. Cert Spotter counts every domain, subdomain, and port combination as an endpoint. An organization with a few hundred subdomains across multiple ports can outgrow the Hobbyist and Startup tiers quickly and land on the $500/month Business plan.
Account and setup required. You can’t type a domain and get an answer. You sign up, add domains, and let it run. There’s no equivalent of a quick one-off scan for a domain you don’t manage.
How SSLBoard is different
SSLBoard starts where Cert Spotter’s certificate checks stop. You type a domain, and it discovers hostnames through Certificate Transparency logs and DNS enumeration, then performs live TLS handshakes against every resolved IP. The report covers the same certificate basics, expiration, issuer, chain, key type, but adds full protocol and cipher analysis: which endpoints still accept TLS 1.0 or 1.1, which cipher suites are negotiated, whether forward secrecy holds, and the CVEs tied to anything outdated. It checks DNSSEC and CAA policy, flags connection errors like self-signed certs or name mismatches, and evaluates post-quantum readiness.
The results roll into a weighted score by category. You get one number to point to and a detailed breakdown if someone asks why. Reports are shareable by link and exportable as CSV, Markdown, or JSON.
You don’t need an account or a plan with an endpoint limit. You run a report on whatever domain you need answers about right now, including ones you don’t control, like a vendor or an acquisition target.
When to use Cert Spotter, SSLCalendar, or SSLBoard
If you only need expiration reminders, SSLCalendar is a simpler fit. Enter a domain and email address, then subscribe to an ICS calendar feed in Google Calendar, Outlook, or Apple Calendar. It uses SSLBoard’s active-certificate checks to reduce noise from certificates that exist in CT logs but are not serving traffic. SSLCalendar focuses on renewal reminders rather than unauthorized-issuance alerts or TLS configuration analysis.
Cert Spotter is the right tool if you want continuous monitoring for mis-issuance and certificate installation problems, with alerts routed to Slack or a SIEM. That’s a different job from a point-in-time TLS audit, and Cert Spotter’s CT log expertise is hard to beat.
SSLBoard is the better fit when you need to assess actual TLS configuration, not just certificate presence: before a compliance review, after a rotation, when evaluating a vendor’s domain, or any time the question is about protocols, ciphers, and posture rather than mis-issuance. Plenty of teams end up wanting both: Cert Spotter watching for unauthorized certs in the background, SSLBoard providing the periodic deep check on configuration.
Getting started
Go to sslboard.com, type your domain, and wait a few minutes. Your first scan is always free, with the full report including score, findings, and per-host breakdowns. No account required.