Skip to content
Home » Private SSL Certificate Monitoring

Private SSL Certificate Monitoring

TrackSSL can monitor your internal, private certificates that are not accessible to the internet. To do so, you can run an instance of our agent on your local network. This lightweight Docker container will run on a schedule every 4 hours. It will make an API call to TrackSSL’s cloud-hosted dashboard, fetch the list of certificates it is responsible for monitoring, fetch each certificate from your local network, and push the certificate to TrackSSL in the cloud for notification and monitoring.

Here’s how to enable private SSL monitoring with TrackSSL:

Create an SSL Monitoring Agent

Screenshot showing private, internal SSL certificate monitoring agent creating in TrackSSL.

Click Agents on the left and then enter an Agent name. This could be the name of your internal network or a name you will use to remember the agent instance. If you only have one internal network, you only need one Agent. But if you have separate networks, subnets, or VPCs, you can create multiple agents, each responsible for their own set of certificates. Copy the token generated for your agent. This will be called your TRACKSSL_AGENT_TOKEN.

Assign Domain to Agents

In TrackSSL, a domain is a hostname or IP address that is the end point for an SSL/TLS certificate. To assign domains to be monitoring by your internal Agent, rather than the cloud-hosted TrackSSL agent, click Domains on the left, click the domain you want to assign, then choose the Agent you want to assign the domain to:

Screenshot showing the assignment of an SSL certificate to be monitoring to a TrackSSL internal agent.

Creating TrackSSL API Token

Next, create an API token to be used by your agent. You only need one API token no matter how many agents you create, though you may wish to create separate API tokens which can be revoked individually if needed. Copy the API token generated. This will be called your TRACKSSL_AUTH_TOKEN:

Next, place your TRACKSSL_AUTH_TOKEN and TRACKSSL_AGENT_TOKEN into a file called environment.txt. It should look something like this:


Then, download and run the docker container:

$ docker pull
$ docker run -d --env-file ./environment.txt --name trackssl-agent

That’s it! Your agent will run every 4 hours and work exactly like the public cloud TrackSSL agent — notifying you through your chosen channels when your certificate nears expiration.

As always, we are here to help. Reach out to us with your questions and we’d be thrilled to help: [email protected].