What is an Application?
Without applications, a certificate inventory is a flat list of hostnames and expiry dates. With applications, every certificate belongs to a context: the service it protects, the environment it runs in, and the people accountable for it. Applications address two recurring problems:- Coverage gaps — knowing that
api.example.comhas a certificate is different from knowing that the Payments API has full certificate coverage across all its hostnames. Applications make that distinction explicit. - Alert routing — sending every expiry alert to a shared operations inbox creates noise. Applications let CertForge send each team only the alerts relevant to their own certificates.
Creating an application
Applications can be created in two places:- Applications → New Application — the dedicated management page for creating and editing applications independently of any certificate workflow.
- Certificate wizard (inline) — when creating a new certificate, you can create or select an application in the same flow without leaving the wizard.
Application fields
Cert groups
A single application often needs more than one certificate — for example, when a wildcard doesn’t cover all required SANs, or when different hostnames must use different CAs or key types. Each cert group within an application contains a set of hostnames that will be covered by a single certificate. CertForge tracks coverage at the cert group level: a group is covered when a valid, managed certificate exists for those hostnames, and uncovered when it does not. One application can have multiple cert groups. This supports multi-cert configurations without needing to split conceptually related hostnames across separate applications.Coverage status
The Applications page shows a coverage status for each application, computed across all its cert groups.Application owner notifications
When acert_expiring alert rule fires, CertForge sends a targeted email to each application’s owners listing only the certificates belonging to that application. This is separate from the org-wide alert channel — owners receive a focused view of what they are responsible for, not a list of every expiring cert in the organization.
This notification is opt-in. Go to Profile → Alert Subscriptions and check Service cert expiry (notify me as service owner). Owners who do not opt in will not receive the targeted email, but org-wide alert channels will still fire as configured.
Application owner notifications require an email address on your account and SMTP configured by your admin. See Email Setup for configuration details.
Reports
Two reports are available specifically for applications. Both are accessible at the Reports page and can be subscribed to as scheduled email deliveries from Profile → Report Subscriptions.Application Coverage
Lists every application in the organization with:- Hostname count
- Cert group count
- Owner emails
- Coverage status (Full / Partial / None / No certs)