User Guide – Network SSL Certificate Scanner 2022

User Guide - Network SSL Certificate Scanner 2022



XenArmor NetCertScanner (Network SSL Certificate Scanner) is the enterprise software to find find all expiring/self-signed/vulnerable/rogue SSL certificates in your local network or internet.

You can use multiple scanning options like Single host scan, Network scan, File IP List Scan, Custom Port scan to find all SSL certificates in your network.

“Fastest SSL Scanner based on our proprietary Half SSL Scanning Method”

It’s swift SSL Certificate scan powered by ‘Host-Port Multiplexed Multithreading’ technique helps you to scan the entire network in just few minutes.


Here are the main benefits for you,

  • SSL Scan: easily find all expiring/expired SSL certificates
  • Full Network Scan: scan all 256*256*256 (*.0.0.0/8) hosts in one click
  • File Scan: scan only known hosts from IP/Host list file
  • Custom Port Scan: find SSL services on non-standard port
  • Fastest Scan: powered by ‘Host-Port Multiplexed Multithreading’ technique
  • SSL SNI Support:scan websites running on shared IP address
  • Scan Settings: fine-tune scan speed as per local network traffic
  • Hidden SSL Discovery: find secret/rogue SSL services in your network
  • SSL Security Analysis: detect self-signed, hidden & vulnerable certs
  • Multi-colored Display: helps in quick identification of problems
  • Display Status: shows progress during SSL scanning
  • Send Email Report: automatically get Email of every scan report
  • Command-line: separate cmd-line tool to run from your scripts
  • Database Store: automatically store scan results to database
  • Download SSL Certificate: quickly view or save certificate to disk
  • Automation: schedule SSL scans periodically
  • Save Report: export report to HTML,CSV,XML,JSON,SQLite file
  • Portable Unlimited Edition: run directly from USB on Unlimited PCs
  • Supports All Windows: Works on all PCs from XP to Windows 11 


XenArmor NetCertScanner works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 11.

Here are the specific details,

  • Installation Size: 15 MB
  • RAM: 4 GB+ Recommended
  • Operating System: Windows 11,10,8,7,Vista,XP, Windows Server 2022,2019,2016,2012,2008 (32-bit/64-bit)

Note: Mobile/pads/non-windows devices not supported

Tip: For better & faster SSL scan performance we recommend using Windows server editions.


XenArmor NetCertScanner comes with standard windows installer which allows seamless installation & un-installation.

Launch the setup file and follow on-screen instructions to complete the installation as shown below,


You can uninstall it from the control panel or click on Uninstaller from installed location.

How to Use?

XenArmor NetCertScanner is one of the best & fastest SSL Certificate Scanner available on planet. It helps you to easily perform Single Host, Network, File based IP List or Custom Port scan with a click of button. Below are more details of each type of scanning operations,

Single Host SSL Scan

This is helpful to perform SSL certificate scan of Single host. Just select ‘Single Host’ scan and enter IP address or Host name and click on ‘Start Scan’ button as shown below,

Network SSL Scan

Network scan helps you to scan your entire network to find any expired, expiring soon, self-signed, suspicious or vulnerable SSL certificates. Enterprise & higher editions allow you to scan 256*256*256 Hosts (*.0.0.0/8) at a time.

To perform Network scan just select ‘Network’ scan option in NetCertScanner, next enter the IP address range and then click on ‘Start Scan’ button to begin the SSL scanning as shown below

File IP List SSL Scan

This feature (only in enterprise edition & higher) helps you to scan only listed hosts/systems (IP Address or Domain Name) specified in the file. This is very useful when you have your servers scattered across different subnet or internet making the scanning operation faster and efficient.

For file scan, create a simple text file with each line containing one IP address or Domain Name. Then in NetCertScanner, choose ‘File Scan’ from the top, then select that IP address list File to begin the Scanning operation as shown below,

New 2022 version allows you to specify up to 100,000 host entries in a single file.

Custom SSL Port Scan

Custom port scan feature (only in enterprise edition & higher) is very useful when your SSL services are running on non-standard ports (perhaps for security reasons). It can also be used to detect any hidden malicious SSL services run by Hacker.

To perform Custom SSL Port Scan, just select SSL Scan Type (Single, Network, File) and then choose Custom Port from ‘SSL Service Type’ option. Next enter the start and end port range and click on Start Scan to being the operation as shown below,

Right Click Menu Options

Right click context menu allows you to quickly & easily perform useful tasks in Certificate list after the completion of scan. You can choose to Visit Website, Open/Save Certificate, Analyze SSL Online or Copy various SSL Certificate details from the list as shown below,


You can also double click on each entry to view the SSL Certificate. Note that Right click menu option is not available while SSL scanning is in progress.

Settings – NetCertScanner

Settings panel allows you to tweak various scan options including Timeout, Database & Email Notifications as shown below,


Timeout Settings

Here you can adjust various Timeout settings based on your target server locations (like local subnet or Internet)
For local subnet you can select option ‘Ping Each Host before SSL Scan’. Not recommended for Servers outside subnet or Internet.

Below are the recommended settings for local or Internet scan,

  • Local Network/Subnet
    • Select ‘Ping Each Host before SSL Scan’
    • Timeout for Host Detection: 20 ms
    • Timeout for Network Operations: 1,000 ms
  • Internet
    • Disable Select ‘Ping Each Host before SSL Scan’
    • Timeout for Host Detection: 200 ms
    • Timeout for Network Operations: 3,000 ms

Also based on your network traffic conditions, you can fine tune the above Timeout values.

New 2022 Version allows you to enable/disable Domain name resolution by using setting “Find Host Name for Every Host”.
This is good for local network but for Internet scan this may take lot of time.
Now you can also choose Thread Count to control the speed of scanning. Default value is 50 and maximum Thread count is 200.

Database Settings

XenArmor NetCertScanner offers seamless Database integration feature which automatically stores all the SSL Certificate scan information to local database for every scan. It is enabled by default.

To enable/disable Database feature simply check or uncheck ‘Store the result of scanning… database’ in the Setting dialog as shown above. If you have enabled Database then you can select the location where all the Database snapshot will be saved for each scan.

Tip: Command-line version uses these timeout & database settings automatically.

Email Settings

XenArmor NetCertScanner 2019 edition offers new Email Notification feature which helps you to automatically get full report of SSL scan in your Email immediately after each scan. This is very useful feature which can help you to fully automate your SSL scan using command-line version sending email notification.


To enable/disable Email notification feature simply check or uncheck ‘Send email notification…..’ in the Setting dialog as shown above. Once you enable it, you can set various Email settings and then click on ‘Test Email’ button to verify if the email is sent successfully or not.

Important Note: For security reasons we recommend creating test email account in Gmail (or similar) rather than using your personal/business account.

Also if you are using gmail account, make sure to switch on “Allow less secure apps” for your email account as explained here. Else Gmail will block sending email. Also Database Storage needs to be enabled for Email notification to work.

Here is the real example of Email notification of SSL Scan summary along with attached report

New 2022 Version also allows you to send only Expiring/Expired SSL certificate list in the Email Report. Also now you will get both HTML & CSV report as attachment.
Now each report includes more details about SSL Scanning host such as local machine name, IP address & operating system.


Please note that Command-line version automatically uses these email notification settings.

Note: This feature is available only in Enterprise & higher editions.

Copy Settings from Older Versions

If you are currently using 2020/2019 Edition and upgraded to 2022 Edition then please make a note of your existing settings (or take a screenshot).

Now launch “Scan Settings” in new 2022 Edition and set each of the options manually.

This is one time activity and may take few minutes. Once done, you can copy new “settings.db” to any other computer where you have installed this software.

Copying old Settings.db file to new installation folder will not work as 2022 version has new options and also optimized default settings for high speed scan.

SSL Certificate Scan Report

XenArmor NetCertScanner helps you to generate detailed SSL certificate Scan Report in HTML, CSV, XML, JSON, SQLite format. On complete of scan, click on Report button and then select the Type of Report (HTML or CSV) from the File Save Dialog as shown below,

Here is the sample of HTML report of SSL Certificate Scan,

New 2022 version also displays more details in HTML report such as machine name, IP address & operating system of SSL Scanning host. Also now all reports includes Serial Number of SSL certifiate.

Advanced Feature – SSL Certificate Security Analysis

XenArmor NetCertScanner helps you to perform security analysis of SSL Certificates discovered during the scan. Not only helps you to find out Expired SSL certificates but also identifies Self-signed, Suspicious & Vulnerable SSL Certificates. Also each of these threats are represented in different color codes making the analysis faster and easier.

Here is the screenshot of SSL certificate analysis performed by NetCertScanner,

Here are more details on each threats and respective color codes,

  • Expired – SSL Certificate is already expired: Red Color
  • Expiring Soon – SSL Certificate expires within a month: Yellow Color
  • Vulnerable – SSL Certificate is vulnerable to MD5/SHA1 Attacks: Red Color
  • Self-Signed/Suspicious – SSL Certificate is self-signed or suspicious – Brown Color
  • Good – This is good SSL Certificate – Blue Color Text.

Same color codes are used in both GUI list as well as in HTML report.

Special Feature – Automatic Storing of Database

XenArmor NetCertScanner offers seamless Database integration feature which automatically stores every SSL Certificate scan result to local database. NetCertScanner uses independent Database (SQLite) snapshots to make whole process smoother and easier without the need for you to install or configure any third party Database software’s (MSSQL, MySQL, Oracle)

For every scan, NetCertScanner stores the complete scan details including SSL Certificate data to the separate Database file. You can control various Database settings including the location where all the files are stored through Settings.

Anytime later, you can view entire SSL Scan report by just loading Database into NetCertScanner. To load database, you can simply drag & drop file or click on “Open File” button and select the file as shown below,

New 2022 version also stores Serial Number & Thumbprint (SHA1 Hash) of each certificate into the database. Also each report includes more details like machine name, IP address & operating system of SSL Scanning machine.

This database store feature is very useful for Auditing and Automation of SSL Certificate Scan.

How to Use Command-line Version?

XenArmor NetCertScanner Command-line version (run from Administrator Cmd Prompt) helps you to fully automate SSL certificate scanning operation. It can also help you to integrate SSL scanning in your scripts giving you greater power and flexibility.

Here are the detailed screenshots of different type of SSL Scan,





Here is the command-line options & examples (2022 Version)

  • NetCertScannerConsole.exe [-o ] [-h host/host-range | -f ] [-p port/port-range]
  •  .
  • // Single host scan with HTML report
  • NetCertScannerConsole.exe -o output.html -h -p 443
  •  .
  • // Scan *.*.*.0/24 Hosts with CSV report
  • NetCertScannerConsole.exe -o output.csv -h -p 443
  •  .
  • // Append (-oo) output report to existing CSV file
  • NetCertScannerConsole.exe -oo output.csv -h -p 443
  •  .
  • // Scan *.*.0.0/16 Hosts with XML report
  • NetCertScannerConsole.exe -o c:\output.xml -h
  •  .
  • // Scan specific Ports on Single Host with JSON report
  • NetCertScannerConsole.exe -o c:\output.json -h -p 1-1024
  •  .
  • // Scan *.0.0.0/8 Hosts with SQLite database report
  • NetCertScannerConsole.exe -o c:\output.db -h
  •  .
  • // Scan specific ports in IP Address range with HTML report
  • NetCertScannerConsole.exe -o c:\output.html -h -p 900-1000
  •  .
  • // Scan from File having IP Address/Hostname list
  • NetCertScannerConsole.exe -o “c:\test\output.html” -f c:\iplist.txt
  •  .
  • // Scan from File having IP Address list for specific port range
  • NetCertScannerConsole.exe -o c:\output.html -f c:\iplist.txt -p 1-1024

Please note above command-line usage details are specific to 2022 version and higher. If you have older version, please type NetCertScannerConsole.exe -h to see correct usage examples.

By default it will generate report in HTML format. You can specify csv, xml, json or db extension to output file to generate report in CSV, XML, JSON or SQLite format respectively.

Command-line version automatically uses the same Timeout, Database & Email notification options configured through Settings in NetCertScanner GUI version.

Important Note: Please run it from Administrator Cmd Prompt (cmd.exe). Else report and database file creation will fail. Another way is to set report and database file location where you have write permissions.

Note: Command-line Tool is available only in Enterprise & higher editions.

Automation of SSL Certificate Scan

XenArmor NetCertScanner Console Version helps you to easily automate your entire SSL certificate scanning operation. Also since 2019 edition, you can also enable Email Notification to automatically delivery complete SSL scan report to your email. Also for each scan, you can enable database store option to store all scan results including SSL certificate to local database.

Here are simple steps to automate SSL scanning process using Windows Task Scheduler,

1) Launch Windows Task Scheduler from Administrative Tools in Control Panel. Next click on “Create Basic Task” on right side panel as shown below,

2) On the Basic Task page, enter name as ‘NetCertScanner SSL Scan’. On next page select ‘Daily or Weekly or Monthly’ with appropriate Time settings as per your need.

3) Next on the ‘Action’ Page, click on Start Program and then enter command & arguments as shown below,

For more command-line options refer to NetCertScanner Command-line Version section.

4) Finally click on Finish button to schedule the automatic SSL Scanning operation.

Note that before you schedule, configure the Timeout & Database options through NetCertScanner Settings.

Version & Release History

Note: To get download link of latest update please contact our support team with your order details.

Version 11.0 (2022 Edition): 29th May 2022

Mega 2022 release supporting new Windows 11 platform. Here are the major updates,

  • (GUI & Command-line) Support scanning of all 256*256*256 (*.0.0.0/8) hosts in one click
  • Faster SSL scanning operation with various speed optimizations
  • (GUI & Command-line) File Scan now supports 100,000 hosts (previously 25k) in single file
  • Domain name resolution now made multi-threaded leading to faster scan
  • Send Email Report in both HTML & CSV format
  • SSL/TLS Cipher Suites updated with latest ones
  • Displays “Serial Number” of certificate in all reports & database
  • Added Thumbprint (SHA1 Hash) of certificate to database store
  • Display scanning host details like OS version, IP address and machine name
  • (GUI & Command-line) Displays scan progress during the operation
  • Scan Settings: Disabled PING by default & Timeout is set to 30ms
  • Scan Settings: Added ‘Thread Count’ option to fine tune performance
  • Scan Settings: ‘Find Host Name’ option to enable/disable Domain name resolution
  • Scan Settings: Option to send only expiring/expired certificates list in Email report
  • Personal Edition: Support scanning all 256*256*256 hosts in one go.
  • Personal Edition: Generate scan reports in all formats
  • Personal Edition: Enabled SSL Security analysis
  • Personal Edition: Shows scan results in multi-colored display
  • Fixed receive buffer size issue with ssl certificate retrieval
  • On start, finds local IP address/subnet & set it for Network Scan
  • Enhanced GUI interface, icons, banner, radio button clicks etc
  • Upgrade: Directly upgrade to higher edition using exclusive offer link
  • Enhanced & Separate License activation for different editions
  • Digitally signed with latest company security certificate from Sectigo
  • Changed UAC manifest setting (GUI => highestAvailable Cmdline => AsInvoker)
  • Supports latest Windows 11 operating system (32-bit & 64-bit)

Version 10.0 (2020 Edition): 21st Aug 2020

Major release with important update for SSL certificate retrieval from TLS v1.2 server.

Version 9.0 (2020 Edition): 28th Dec 2019

Mega 2020 edition featuring Portable Unlimited Edition, Portable Settings, Faster Scan Engine & New Enhanced GUI Design.

Version 8.0 (2019 Edition): 13th Apr 2019

Major digital signature based release supporting SSL server with TLS v2.0. Also enhanced SSL scan report in XML/JSON/SQLite format.

Version 7.5 (2019 Edition): 13th Feb 2019

Major release with changes in Editions, Pricing & features. Now it supports for getting SSL certificate from old TLS v1.0/TLS v1.1 only SSL Servers. Also added new scan report formats like XML & JSON in both GUI & command-line versions.

Version 7.0 (2019 Edition): 30th Nov 2018

Mega 2019 edition with Email Notification of Scan Report, 200+ New SSL Cipher Suites, Scan Domain with SNI feature, Domain based File List Scan, Perform Online SSL Analysis & many more enhancements.

Version 6.0 (2017 Edition): 26th Jul 2017

Mega 2017 edition with one click database integration, 130+ new SSL cipher suites, SSL certificate vulnerability analysis, Report in HTML & CSV format, IP List File Scanning Feature GUI & Command-line version

Contact XenArmor

Have any more queries or need any technical clarification? Just write to us at and you will have response within 24 to 48 hours.

For more details visit home page of XenArmor Network SSL Certificate Scanner