diff --git a/README.md b/README.md
index 478c992..b7f4c19 100644
--- a/README.md
+++ b/README.md
@@ -2,15 +2,15 @@
 This repo contains the tools, utilities and some usefull commands help to troubleshooting the issues of the WSO2 deployements.
 
 ## Table of contents
-
-- [Database response time mesuring tool](database-response-timing/) | [Download](https://github.com/wso2-cs/troubleshoot-kit/releases/download/v1/database-response-timing-bundle.zip)
-- [HTTP/HTTPS endpoint response time mesuring tool](http-response-timing/) | [Download](https://github.com/wso2-cs/troubleshoot-kit/releases/download/v1/http-response-timing-bundle.zip)
-- [Test LDAP connectivity](ldap-connection-test/)
-- [Script to get thread dumps](scripts-and-commands/thread-dump/)
+- [APIM 3.2.0 distributed deployment](scripts-and-commands/distributed-deployment/apim-3.2.0/README.md)
+- [APIM 4.0.0 distributed deployment](scripts-and-commands/distributed-deployment/apim-4.0.0/README.md)
+- [Database response time measuring tool](database-response-timing/) | [Download](https://github.com/wso2-cs/troubleshoot-kit/releases/download/v1/database-response-timing-bundle.zip)
+- [Decrypt and re-encrypt entries in database with new algorithm or key](https://github.com/shagihan/token-migrator)
+- [HAR Capture](HAR-capture/README.md)
+- [HTTP/HTTPS endpoint response time measuring tool](http-response-timing/) | [Download](https://github.com/wso2-cs/troubleshoot-kit/releases/download/v1/http-response-timing-bundle.zip)
 - [Script to Analyze thread dumps](scripts-and-commands/thread-analysis/)
-- [Usefull keytool and OpenSSL Commands](scripts-and-commands/keytool-openssl-commands/README.md)
+- [Script to get thread dumps](scripts-and-commands/thread-dump/)
 - [Simple TCP proxy simulating delays in network](https://github.com/ruwanta/delaying-proxy)
-- [Decrypt and re-encrypt entries in database with new algorhythm or key](https://github.com/shagihan/token-migrator)
-- [HAR Capture](HAR-capture/README.md)
-- [APIM 3.2.0 deployment](scripts-and-commands/distributed-deployment/apim-3.2.0/README.md)
-- [APIM 4.0.0 deployment](scripts-and-commands/distributed-deployment/apim-4.0.0/README.md)
\ No newline at end of file
+- [Test LDAP connectivity](ldap-connection-test/)
+- [TLS Certs](scripts-and-commands/certs/README.md)
+- [Useful keytool and OpenSSL Commands](scripts-and-commands/keytool-openssl-commands/README.md)
diff --git a/scripts-and-commands/certs/README.md b/scripts-and-commands/certs/README.md
new file mode 100644
index 0000000..f1a0ec3
--- /dev/null
+++ b/scripts-and-commands/certs/README.md
@@ -0,0 +1,34 @@
+# Get Details About a TLS Certificate
+One of the most common tasks once a system is in production for a while is the need to replace expired TLS certificates. The number one symptom that notifies you that this is needed is that back-end system fail to connect and will give an error message in the log files. 
+
+Tracking down why you can't connect is simplified if you can check for the expired use case from the server that is making the connection call. These servers almost never have UI frontends allowing for the certificate view trick we often use in a web browser to check for the dates. This is especially important when server whitelisting rules are in place. 
+
+These linux shell commands are provided to aid in identifying exactly this use case and also to trouble shoot issues that may come up once the new certificate is in place.
+
+## checkcert
+These scripts are for getting the notbefore and notafter dates of a certificate.
+* checkcert - uses openssl to fetch
+* checkcert_curl - uses curl to fetch 
+
+## checkcertserial
+These scripts are for getting the serial number of a certificate
+* checkcertserial - returns in default format
+* checkcertserialhex - returns in hex format
+
+## getcertchain
+This script will show you the certificate chain. Sometimes different versions
+of certificates will have differnt intermediate chains and that can lead to 
+handshaking issues.
+* getcertchain
+
+## serial_audit
+These files are used to audit a set of servers to ensure they have the 
+same target serial number.
+* serial_audit - script to kick off the audit
+* server_list.txt - list of the servers to audit. Format like localhost:9443
+* target_serial.txt - standard serial format to verify being present 
+
+# Retrieve a certificate
+## getcert
+This script will retrieve the certificate and write it locally.
+* getcert
diff --git a/scripts-and-commands/certs/checkcert b/scripts-and-commands/certs/checkcert
new file mode 100755
index 0000000..c373ef0
--- /dev/null
+++ b/scripts-and-commands/certs/checkcert
@@ -0,0 +1,9 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+
+export SITE_URL=$1
+echo QUIT | openssl s_client -connect ${SITE_URL} \
+  -servername ${SITE_URL} 2> /dev/null |  openssl x509 -noout  -dates  
diff --git a/scripts-and-commands/certs/checkcert_curl b/scripts-and-commands/certs/checkcert_curl
new file mode 100755
index 0000000..958e629
--- /dev/null
+++ b/scripts-and-commands/certs/checkcert_curl
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+
+curl --insecure -vvI https://$1 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
diff --git a/scripts-and-commands/certs/checkcertserial b/scripts-and-commands/certs/checkcertserial
new file mode 100755
index 0000000..e2958e2
--- /dev/null
+++ b/scripts-and-commands/certs/checkcertserial
@@ -0,0 +1,11 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+# Cut inspired by: https://unix.stackexchange.com/questions/533194/how-to-extract-serial-from-ssl-certificate
+
+export SITE_URL=$1
+#export SITE_SSL_PORT="443"
+echo QUIT | openssl s_client -connect ${SITE_URL} \
+  -servername ${SITE_URL} 2> /dev/null |  openssl x509 -noout  -serial | cut -d '=' -f2  
diff --git a/scripts-and-commands/certs/checkcertserialhex b/scripts-and-commands/certs/checkcertserialhex
new file mode 100755
index 0000000..7dfa44b
--- /dev/null
+++ b/scripts-and-commands/certs/checkcertserialhex
@@ -0,0 +1,10 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+# Hex translation inspired by: https://unix.stackexchange.com/questions/533194/how-to-extract-serial-from-ssl-certificate
+
+export SITE_URL=$1
+echo QUIT | openssl s_client -connect ${SITE_URL} \
+  -servername ${SITE_URL} 2> /dev/null |  openssl x509 -noout  -serial|cut -d '=' -f2 | sed 's/../&:/g;s/:$//' 
diff --git a/scripts-and-commands/certs/getcert b/scripts-and-commands/certs/getcert
new file mode 100755
index 0000000..bd92c51
--- /dev/null
+++ b/scripts-and-commands/certs/getcert
@@ -0,0 +1,9 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+
+openssl s_client -connect $1 </dev/null | openssl x509 -outform pem > tmpcert.pem
+openssl x509 -in tmpcert.pem -noout -serial -dates
+cat tmpcert.pem
diff --git a/scripts-and-commands/certs/getcertchain b/scripts-and-commands/certs/getcertchain
new file mode 100755
index 0000000..74cd7bc
--- /dev/null
+++ b/scripts-and-commands/certs/getcertchain
@@ -0,0 +1,8 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+
+export URL=$1
+echo QUIT | openssl s_client -showcerts -connect $URL
diff --git a/scripts-and-commands/certs/serial_audit b/scripts-and-commands/certs/serial_audit
new file mode 100755
index 0000000..67186f1
--- /dev/null
+++ b/scripts-and-commands/certs/serial_audit
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# This script will check every server in server_list.txt to see if it has a public cert serial
+# that matches target_serial.txt. This is utilized to ensure that all servers have the same corporate
+# wildcard certificate after renewal. 
+#
+# Add server list into a server_list.txt file. One line per a server. Include the port number.
+# Example: 
+# google.com:443
+# localhost:9443
+#
+# Add expected serial number in a file named target_serial.txt
+# example:
+# 111111111111111111111111111
+
+
+TARGET_SERIAL=`cat target_serial.txt`
+echo "Target Serial is: $TARGET_SERIAL"
+
+#looping over each server in server_list.txt
+echo "== Starting =="
+
+while read SERVER; do
+  SERVER_SERIAL=`echo QUIT | openssl s_client -connect $SERVER -servername $SERVER </dev/null 2>/dev/null| openssl x509 -noout -serial 2>/dev/null| cut -d '=' -f2`
+
+  if [ "$SERVER_SERIAL" == "$TARGET_SERIAL" ]; then
+      echo "$SERVER: Serials match."
+  else
+      echo "$SERVER - WARNING: CERTIFICATE SERIAL NUMBERS DO NOT MATCH. Server has $SERVER_SERIAL and we are looking for $TARGET_SERIAL."
+  fi
+done < server_list.txt
+
+echo "== Done. =="
diff --git a/scripts-and-commands/certs/server_list.txt b/scripts-and-commands/certs/server_list.txt
new file mode 100644
index 0000000..1026866
--- /dev/null
+++ b/scripts-and-commands/certs/server_list.txt
@@ -0,0 +1 @@
+localhost:9443
diff --git a/scripts-and-commands/certs/target_serial.txt b/scripts-and-commands/certs/target_serial.txt
new file mode 100644
index 0000000..acab1bd
--- /dev/null
+++ b/scripts-and-commands/certs/target_serial.txt
@@ -0,0 +1 @@
+5800000d6fef826be273adb62d000200000d6f