What is a Service?
Without services, a certificate inventory is a flat list of hostnames and expiry dates. With services, every certificate belongs to a context: the application it protects, the environment it runs in, and the people accountable for it. Services address two recurring problems:- Coverage gaps — knowing that
api.example.comhas a certificate is different from knowing that the Payments API has full certificate coverage across all its hostnames. Services make that distinction explicit. - Alert routing — sending every expiry alert to a shared operations inbox creates noise. Services let CertForge send each team only the alerts relevant to their own certificates.
Creating a service
Services can be created in two places:- Services → Add Service — the dedicated management page for creating and editing services independently of any certificate workflow.
- Certificate wizard (inline) — when creating a new certificate, you can create or select a service in the same flow without leaving the wizard.
Service fields
Cert groups
A single service often needs more than one certificate — for example, when a wildcard doesn’t cover all required SANs, or when different hostnames must use different CAs or key types. Each cert group within a service contains a set of hostnames that will be covered by a single certificate. CertForge tracks coverage at the cert group level: a group is covered when a valid, managed certificate exists for those hostnames, and uncovered when it does not. One service can have multiple cert groups. This supports multi-cert configurations without needing to split conceptually related hostnames across separate services.Coverage status
The Services page shows a coverage status for each service, computed across all its cert groups.Service owner notifications
When acert_expiring alert rule fires, CertForge sends a targeted email to each service’s owners listing only the certificates belonging to that service. This is separate from the org-wide alert channel — owners receive a focused view of what they are responsible for, not a list of every expiring cert in the organization.
This notification is opt-in. To receive it, go to Profile → Alert Subscriptions and check Service cert expiry (notify me as service owner). Owners who do not opt in will not receive the targeted email, but org-wide alert channels will still fire as configured.
Service owner notifications require an email address on your account and SMTP configured by your admin. See Email Setup for configuration details.
Reports
Two reports are available specifically for services. Both are accessible at the Reports page and can be subscribed to as scheduled email deliveries from Profile → Report Subscriptions.Service Coverage
Lists every service in the organization with:- Hostname count
- Cert group count
- Owner emails
- Coverage status (Full / Partial / None / No certs)