Zero-dependency certificate monitoring and validation for Python. Native, portable, extensible, and secure.
All orchestration and logic are pure Python standard library. Public key parsing and elliptic curve support are powered by Rust. No third-party Python dependencies - ever.
β‘οΈ Why CertMonitor?
CertMonitor was born out of real-world frustration: outages and security incidents caused by expired certificates, missing Subject Alternative Names, or incomplete certificate chains. This tool is a labor of loveβbuilt to solve those pain points with a zero-dependency, native Python approach. All orchestration and logic are pure Python stdlib, but advanced public key parsing and elliptic curve support are powered by Rust for speed, safety, and correctness. CertMonitor is always improving, and your feedback is welcome!
from certmonitor import CertMonitor
with CertMonitor("example.com") as monitor:
print(monitor.get_cert_info())
print(monitor.validate())This is a sample of the structured certificate info returned by monitor.get_cert_info():
{
"subject": {
"commonName": "example.com"
},
"issuer": {
"organizationName": "DigiCert Inc",
"commonName": "DigiCert TLS RSA SHA256 2020 CA1"
},
"notBefore": "2024-06-01T00:00:00",
"notAfter": "2025-09-01T23:59:59",
"serialNumber": "0A1B2C3D4E5F6789",
"subjectAltName": {
"DNS": ["example.com", "www.example.com"],
"IP Address": []
},
"publicKeyInfo": {
"algorithm": "rsaEncryption",
"size": 2048,
"curve": null
}
}This is a sample of the PEM format returned by monitor.get_raw_pem():
-----BEGIN CERTIFICATE-----
MIID...snip...IDAQAB
-----END CERTIFICATE-----
This is a sample of the DER format returned by monitor.get_raw_der() (as bytes, shown here as base64):
MIID...snip...IDAQAB
{
"expiration": {
"is_valid": true,
"days_to_expiry": 120,
"expires_on": "2025-09-01T23:59:59",
"warnings": []
},
"subject_alt_names": {
"is_valid": true,
"sans": {"DNS": ["example.com", "www.example.com"], "IP Address": []},
"count": 2,
"contains_host": {"name": "example.com", "is_valid": true, "reason": "Matched DNS SAN"},
"contains_alternate": {"www.example.com": {"name": "www.example.com", "is_valid": true, "reason": "Matched DNS SAN"}},
"warnings": []
}
}- π Zero Dependencies: 100% standard library. No third-party Python packages requiredβever.
- π‘οΈ Certificate Validators: Modular checks for expiration, hostname, SANs, key strength, protocol, ciphers, and more.
- β‘ High Performance: Async- and batch-friendly. Designed for speed and concurrency.
- 𧩠Extensible: Add your own custom validators for organization-specific checks.
- π Native Python First: Works out-of-the-box in any Python 3.8+ environment.
- π¦ Rust-Powered Parsing: Certificate parsing and public key extraction are handled by a Rust extension for speed, safety, and correctness. This is required for advanced public key and elliptic curve features, but all orchestration and logic are pure Python stdlib.
- π¦ Portable: No system dependencies. Drop it into any project or CI pipeline.
- π Comprehensive Docs: ReadTheDocs with usage, API, and advanced guides.
CertMonitor uses a powerful system of validatorsβmodular checks that automatically assess certificate health, security, and compliance. Validators can:
- Detect expired or soon-to-expire certificates
- Ensure hostnames and SANs match
- Enforce strong key types and lengths
- Require modern TLS versions and strong cipher suites
- Allow you to add custom organization-specific checks
You can enable, disable, or extend validators to fit your needs, making CertMonitor ideal for continuous monitoring, compliance automation, and proactive security.
expiration: Validates that the certificate is not expired.hostname: Validates that the hostname matches the certificate's subject alternative names (SANs).subject_alt_names: Validates the presence and content of the SANs in the certificate.root_certificate: Validates if the certificate is issued by a trusted root CA.key_info: Validates the public key type and strength.tls_version: Validates the negotiated TLS version.weak_cipher: Validates that the negotiated cipher suite is in the allowed list.sensitive_date: Validates that the certificate doesn't expire on built-in or user specified sensitive dates.chain: Validates the full TLS certificate chain for structural problems (missing intermediates, out-of-order, expired members, weak signatures).
Install CertMonitor from PyPI using your preferred package manager:
Using pip:
pip install certmonitorUsing uv:
uv add certmonitorFor instructions on installing from source for development, please see the Development Guide.
from certmonitor import CertMonitor
with CertMonitor("example.com") as monitor:
cert_data = monitor.get_cert_info()
validation_results = monitor.validate(validator_args={"subject_alt_names": ["www.example.com"]})
print(cert_data)
print(validation_results)monitor = CertMonitor("example.com")
cert_data = monitor.get_cert_info()
validation_results = monitor.validate()
monitor.close()You can also use an IPv4 or IPv6 address to retrieve and validate the SSL certificate. Note: Using an IP address may not match the certificate's hostname.
with CertMonitor("20.76.201.171") as monitor:
cert = monitor.get_cert_info()
validation_results = monitor.validate()
print(cert)
print(validation_results)These methods are only available for SSL/TLS connections:
raw_der = monitor.get_raw_der() # Returns DER bytes
raw_pem = monitor.get_raw_pem() # Returns PEM stringYou can retrieve and validate cipher suite information:
cipher_info = monitor.get_cipher_info()
print(cipher_info)You can configure CertMonitor by specifying which validators to enable in the enabled_validators parameter. If not specified, it will use the default validators defined in the configuration.
By default, the following validators are enabled:
- expiration
- hostname
- root_certificate
CertMonitor can also read the list of enabled validators from an environment variable ENABLED_VALIDATORS. This is useful for configuring the validators without modifying the code.
Example:
export ENABLED_VALIDATORS="expiration,hostname,subject_alt_names,root_certificate,key_info,tls_version,weak_cipher"CertMonitor automatically detects the protocol (SSL/TLS or SSH) for the target host. Most features are focused on SSL/TLS. SSH support is limited.
If an error occurs (e.g., connection failure, invalid certificate), CertMonitor methods will return a dictionary with an error key and details. Always check for errors in returned data:
cert = monitor.get_cert_info()
if isinstance(cert, dict) and "error" in cert:
print("Error:", cert["message"])CertMonitor's certificate parser handles untrusted bytes from every TLS handshake it monitors. We take that seriously:
- Zero runtime dependencies. The Python layer uses only the standard library. The Rust extension's X.509 / DER parser is written in-house against the Rust standard library β no third-party parsing crates in the runtime dependency tree.
#![forbid(unsafe_code)]at the Rust crate root. Nounsafeblocks anywhere in the parser. Memory safety is enforced by the Rust compiler, not by manual auditing.- Every parser path returns
Result. Malformed input produces a structured error, never a crash. No.unwrap()on user-input-derived data. - 1.7 billion fuzz iterations, zero crashes. The parser is continuously fuzz-tested with cargo-fuzz (libFuzzer) against adversarial byte sequences. A 1-hour soak run explores 310 code-coverage points and 503 libfuzzer features with zero panics. Run it yourself:
make fuzz. - 130-cert real-world corpus on every CI run. Every commit is tested against captured certificates from 101 production hosts spanning Google Trust Services, DigiCert, Let's Encrypt, Sectigo, Cloudflare, and more β covering both RSA and ECDSA key types.
- 425+ Python tests at 99% line coverage, 56 Rust unit tests. The full test suite runs across Python 3.8β3.13 and Rust stable on macOS, Ubuntu, and Windows.
cargo auditon every PR. The Rust dependency tree is 20 crates total (all PyO3 build-time helpers), scanned for known vulnerabilities on every pull request.
This project is licensed under the MIT License. See the LICENSE file for details.