Platform · Change Monitoring

Know the moment a certificate changes.

By Updated

New issuance, replacement, unexpected issuers, altered SANs — MachineCert detects every certificate change as it happens and tells you whether it was expected or a red flag.

Scan your domain Book a demo
Real-time eventsRogue detectionAudit trail
change feed · acme-corplive events
New cert issuedapi.acme.comreview
Cert replacedcdn.acme.comexpected
Unexpected issuerpromo.acme.ioinvestigate
SANs changed*.acme.comreview
The problem

Change is constant —
and mostly invisible.

Certificates are issued, rotated, and replaced continuously. Without change monitoring, every one of those events is a blind spot.

Silent changes

Certificates are issued and swapped without anyone noticing.

Unexpected issuance

A cert from the wrong CA can signal compromise or shadow IT.

Untracked replacements

Rotations happen, but the record never reflects them.

No audit trail

When something breaks, there’s no history of what changed.

How it works

Detect, classify,
alert, log.

1
Baseline

Establish the known state of every certificate.

2
Detect change

Spot new issuance, replacement, and attribute changes.

3
Classify

Decide whether the change was expected or suspicious.

4
Alert & log

Notify the owner and record an immutable history.

Architecture

Every change, an event.

Change signals
Certificate Renewedreplacement detected
New Certificate IssuedCT log · cloud · agent
SAN Addedsubject alt name change
Issuer ChangedCA / chain swap
Certificate RevokedCRL · OCSP signal
Ownership Changedteam / on-call reroute
Change engineclassify · alert · log
Output
AlertsSlack · SIEM
Event timelineper certificate
Audit trailimmutable
What you see

Certificate activity feed.

changes · activity · acme-corpstreaming · live
EventCertificateWhen
Certificate Renewed*.stripe.com2 min ago
New Certificate Issuedshadow.acme.io14 min ago
SAN Addedapi.example.com1 hr ago
Issuer Changedcdn.acme-corp.com3 hrs ago
Certificate Revokedold-vpn.corp.local6 hrs ago
Ownership Changedk8s.stagingyesterday
Outcomes

No certificate change
goes unseen.

Instant change alerts

Know the moment a cert is issued or swapped.

Catch rogue issuance

Unexpected issuers flagged for investigation.

Per-cert history

A complete timeline of every change.

Audit-ready trail

Immutable evidence for compliance.

Detect shadow IT

Unplanned issuance surfaces immediately.

Faster response

Suspicious changes reach security fast.

FAQ

Change monitoring,
answered.

It’s continuously detecting changes to certificates — new issuance, replacement, unexpected issuers, and altered attributes like SANs or key strength — and alerting you whether each change was expected or suspicious.
Certificates change constantly. An unexpected new certificate for your domain can indicate mis-issuance, compromise, or shadow IT. Tracking changes turns those silent events into actionable signals.
By monitoring Certificate Transparency logs and continuous discovery, MachineCert sees new certificates issued for your domains in near real time and compares them against the known baseline.
New issuance, certificate replacement and rotation, issuer changes, and attribute changes such as Subject Alternative Names, validity periods, and cryptographic strength.
MachineCert classifies changes against your inventory and policy — a planned rotation from an approved CA is expected, while issuance from an unrecognized CA is flagged for investigation.
Yes. Every change is recorded as an immutable, timestamped event, giving each certificate a complete history for troubleshooting and compliance.
Yes — alerts route to Slack, Teams, email, PagerDuty, ServiceNow, Jira, SIEM, and webhooks.
Change monitoring surfaces rogue issuance and unexpected rotations quickly, shortening detection time for certificate-based threats and shadow IT.
Explore the platform

Related capabilities

Trust monitoringChain, revocation, weak crypto.Expiration monitoringCatch expiry early.Public discoveryWatch CT logs for issuance.For security teamsRogue detection & risk.Risk scoringPrioritize by risk.ComplianceAudit-ready evidence.
Get started

Watch every certificate change.

Scan your domain and start tracking every issuance, rotation, and rogue certificate in real time.

Book a demo