NGINX Instance Manager Certificate Scanning Documentation

This document explains how to scan for expired certificates with NGINX Instance Manager.

How it works

You can use NGINX Instance Manager to scan for expired certificates in your environment. We will pull back the certificate information from any TLS server and present the expiration dates to you. This can be done through an API call also but is shown in the UI below.

Certificate Scan page


The certificate scan looks at the default listener on the IP address and port you specify. Servers using strict SNI for certificates will not show up unless they are they default.

Managed instances will show certificate information based on the NGINX configuration. This includes strict SNI and information that may not show up in the scan.


There are web servers and services that use strict SNI rules to only present certificates if the domain name is exact. We do not use an agent and can not guess that so we can’t find servers not responding on the IP address used. If the server has a mix of certificates, it’s likely the renewal is similar though and the tool will give you value.

Updating Certificates

Updating certificates and keys can be done through the API or the UI. It is important to note that we do not store the private keys and do not have a GET that would provide them.

To update these files in the UI, open the configuration editor for the instance and select the Cert Management icon.

Certificate Management

Enter the file path and paste in the contents of the certificate or key and publish the file.

Certificate Upload

This will push the certificate or key to the remote system.

Next Steps

  • Explore the API for more advanced uploads
  • Build your own workflow using the certificate scanner and the certificate upload function