NGINX Instance Manager Certificate Scanning Documentation

You are not viewing the latest documentation for Instance Manager. Visit https://docs.nginx.com/nginx-management-suite/nim to read the latest content.

This document explains how to scan for expired certificates with NGINX Instance Manager.

How it works

You can use NGINX Instance Manager to scan for expired certificates in your environment. We will pull back the certificate information from any TLS server and present the expiration dates to you. This can be done through an API call also but is shown in the UI below.


The certificate scan looks at the default listener on the IP address and port you specify. Servers using strict SNI for certificates will not show up unless they are the default.

Managed instances will show certificate information based on the NGINX configuration. This includes strict SNI and information that may not show up in the scan.


Some web servers and services use strict SNI rules to only present certificates if the domain name is exact. We do not use an agent and cannot guess that, so we can’t find servers that don’t respond to the IP address that’s used. If the server has a mix of certificates, the renewal is likely similar, and the tool will give you value.

Updating Certificates

Updating certificates and keys can be done through the API or the web interface. It is important to note that we do not store the private keys and do not have a GET that provides them.

To update these files in the web interface, open the configuration editor for the instance and select the Cert Management icon.

Enter the file path and paste in the contents of the certificate or key and publish the file.

This will push the certificate or key to the remote system.

Next Steps

  • Explore the API for more advanced uploads
  • Build your own workflow using the certificate scanner and the certificate upload function