It's Monday morning. Your phone is blowing up. Customers can't access your site. Sales are tanking. Support is overwhelmed.
The culprit? Your SSL certificate expired over the weekend. Every visitor now sees a full-page browser warning: "Your connection is not private." Most leave immediately. The rest think you've been hacked.
This scenario is entirely preventable. SSL certificate monitoring watches your certificates and alerts you days or weeks before they expire. No surprises, no emergencies, no lost revenue.
New to monitoring? Start with our complete guide to uptime monitoring for the fundamentals.
What is SSL Certificate Monitoring?
SSL certificate monitoring automatically tracks the status, validity, and expiration of your SSL/TLS certificates. It alerts you before problems occur—giving you time to renew, fix misconfigurations, or address security issues.
What It Checks
- Expiration date: When does the certificate expire?
- Certificate validity: Is the certificate properly signed and trusted?
- Chain completeness: Are all intermediate certificates in place?
- Domain matching: Does the certificate cover the correct domains?
- Protocol support: Is TLS configured securely?
How It's Different from Uptime Monitoring
Standard uptime monitoring checks if your site responds. SSL monitoring specifically examines your certificate—it can catch problems that wouldn't trigger a regular uptime alert.
Your site might be "up" with an expired certificate. Users would still see the warning page. Uptime monitoring might miss this; SSL monitoring catches it.
Learn more: Why uptime alone isn't enough.
Why SSL Certificate Monitoring Matters
The Browser Warning Problem
When your SSL certificate expires or is misconfigured, browsers don't show your site. They show a warning:
Most users won't click through these warnings. They'll leave—and probably won't come back.
Real Business Impact
Lost Revenue
E-commerce sites lose 100% of sales during certificate issues
SEO Damage
Google may temporarily de-index pages with certificate errors
Trust Erosion
Security warnings make your brand look unprofessional or compromised
Support Overload
Users contact you asking if you've been hacked
Calculate the cost: Downtime revenue calculator.
It Happens More Than You Think
Major companies have suffered public SSL failures:
- LinkedIn's certificate expired in 2019, affecting millions of users
- Microsoft Teams had an expired certificate in 2020
- Spotify experienced certificate issues affecting their web player
If it can happen to them, it can happen to anyone. The difference is whether you catch it in advance or find out from angry users.
What Can Go Wrong with SSL Certificates
1. Certificate Expiration
The most common problem. SSL certificates have a maximum lifespan (currently 397 days for public certificates). When they expire, browsers reject them entirely.
Why it happens:
- Renewal reminders go to an inbox no one checks
- The person who set it up left the company
- Auto-renewal failed silently
- Credit card on file expired
2. Incomplete Certificate Chain
SSL certificates form a chain: your certificate → intermediate certificate → root certificate. If the intermediate is missing, some browsers and devices will reject your certificate even though it's valid.
Symptoms: Works on some devices but not others. Desktop Chrome is fine, but mobile Safari shows an error.
3. Domain Mismatch
Your certificate must cover the exact domain users are visiting. A certificate for example.com won't work for www.example.com unless it includes both (via SAN - Subject Alternative Names).
Common scenarios:
- • Forgetting to include www variant
- • Adding a new subdomain not covered by the certificate
- • Wildcard certificate that doesn't cover the apex domain
4. Certificate Revocation
Certificates can be revoked by the issuing authority if compromised or mis-issued. A revoked certificate triggers browser warnings just like an expired one.
5. Weak Configuration
Even a valid certificate can be poorly configured:
- • Using outdated TLS versions (TLS 1.0, 1.1)
- • Weak cipher suites
- • Missing HSTS headers
- • Mixed content issues (HTTP resources on HTTPS pages)
What to Monitor in Your SSL Certificates
Essential Checks
| Check | Why It Matters | Alert When |
|---|---|---|
| Expiration date | Expired = site unusable | 30, 14, 7, 3 days before |
| Chain validity | Broken chain = errors on some devices | Any missing intermediate |
| Domain coverage | Wrong domain = browser error | Domain not in SAN list |
| Certificate trust | Untrusted CA = rejected by browsers | Not signed by trusted CA |
Advanced Checks
- TLS version: Ensure TLS 1.2 or 1.3 only
- Cipher strength: No weak or deprecated ciphers
- OCSP stapling: Faster certificate validation
- Certificate transparency: Logged in CT logs
Which Domains to Monitor
Don't just monitor your main domain. Check every domain and subdomain with an SSL certificate:
- • Main website (example.com, www.example.com)
- • API endpoints (api.example.com)
- • App subdomains (app.example.com)
- • CDN domains (cdn.example.com)
- • Mail servers (mail.example.com)
- • Staging/dev environments (staging.example.com)
Related: Domain expiry monitoring to prevent domain registration lapses.
How to Set Up SSL Certificate Monitoring
Option 1: Dedicated SSL Monitoring Tool
The easiest approach. Add your domains to a monitoring service that specifically checks SSL certificates:
- 1 Enter the domain name
- 2 Configure alert thresholds (30, 14, 7 days before expiry)
- 3 Set up notification channels (email, Slack, etc.)
- 4 Done—you'll get alerts automatically
PerkyDash includes SSL monitoring: See how it works.
Option 2: As Part of Uptime Monitoring
Many uptime monitoring tools include SSL checks. When you add an HTTPS URL, they automatically monitor the certificate too.
Pros: No extra setup, integrated with your existing monitoring
Cons: May have less detailed certificate analysis
Learn more: HTTP/HTTPS monitoring.
Option 3: Manual Checks (Not Recommended)
You can manually check certificates using browser tools or command line:
openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -dates
Why this fails: You'll forget. You'll be on vacation when it expires. You'll check the wrong domain. Automate it instead.
Quick Setup Checklist
- List all domains with SSL certificates
- Add each to your monitoring tool
- Set expiration alerts (30, 14, 7, 3 days)
- Enable chain validation alerts
- Configure notification channels
- Test by checking a domain you know is expiring soon
When to Get SSL Expiration Alerts
Getting the timing right prevents both panic and missed renewals.
Recommended Alert Schedule
| Days Before | Alert Type | Action |
|---|---|---|
| 30 days | Early warning (email) | Schedule renewal, verify auto-renewal is working |
| 14 days | Reminder (email + Slack) | Renew now if not auto-renewing |
| 7 days | Urgent (all channels) | Escalate, renew immediately |
| 3 days | Critical (all channels + phone) | Emergency renewal, all hands |
| 1 day | Emergency | You're about to have a very bad day |
Why Multiple Alerts?
People miss emails. People are on vacation. People assume someone else handled it. Multiple alerts at increasing urgency ensure someone takes action.
More on alerting: Notification channels and best practices.
Why Auto-Renewal Isn't Enough
"But I have Let's Encrypt with auto-renewal!" Great. You still need monitoring.
When Auto-Renewal Fails
Auto-renewal systems fail more often than you'd expect:
- DNS changes: You moved DNS providers and broke the validation process
- Server changes: You migrated servers and forgot to set up certbot on the new one
- Permission issues: The renewal script can't write to the certificate directory
- Rate limits: Let's Encrypt rate limits hit during testing
- Firewall changes: Port 80 blocked, HTTP-01 validation fails
- Process crashes: The renewal service stopped running
The "It Worked Last Time" Trap
Your certificate renewed successfully for two years. You assume it always will. Then something changes, renewal fails, and you don't find out until it expires.
Monitoring is your safety net. Even with auto-renewal, you need to know:
- Is the certificate actually valid right now?
- Did renewal succeed last time?
- Is there time to fix it if renewal fails?
Trust But Verify
Auto-renewal is essential. Monitoring is your backup. Both together mean you never have a certificate emergency.
Common SSL Monitoring Mistakes
Only Monitoring the Main Domain
Your main site is fine, but api.example.com expires and your mobile app breaks. Monitor every domain and subdomain with a certificate.
Ignoring Staging Environments
Staging certificates expire too. When developers can't access staging, productivity drops. Treat staging SSL with the same care as production.
Not Testing Alert Delivery
Your alerts are configured, but are they actually being delivered? Test by setting a short threshold on a test domain, or manually trigger a test alert.
Alerts Going to One Person
If alerts only go to one person's email, what happens when they're on vacation? Send alerts to a team channel (Slack, Teams) and have backup recipients.
Related: Communicating incidents clearly.
Setting Alerts Too Late
A 3-day warning isn't much time if renewal requires approvals, vendor coordination, or complex deployment. Start alerts at 30 days.
Forgetting About Intermediate Certificates
Your certificate is valid, but you forgot to update the intermediate. Some browsers work, others don't. Monitor chain validity, not just expiration.
Frequently Asked Questions
How often should SSL certificates be checked?
Daily checks are sufficient for expiration monitoring since certificates don't expire suddenly. However, checking more frequently (every few hours) can catch chain issues or configuration problems faster. Most monitoring tools check at least once per day.
Do I need SSL monitoring if I use Let's Encrypt?
Yes. Let's Encrypt auto-renewal is excellent but can fail due to DNS changes, server migrations, permission issues, or rate limits. SSL monitoring is your safety net—it alerts you if renewal fails so you can fix it before expiration.
What's the difference between SSL and TLS monitoring?
SSL (Secure Sockets Layer) is the older protocol; TLS (Transport Layer Security) is the modern replacement. When people say "SSL certificate" or "SSL monitoring," they usually mean TLS. The monitoring is the same—checking certificate validity, expiration, and configuration.
How far in advance should I renew SSL certificates?
Renew at least 2 weeks before expiration. This gives you time to handle unexpected issues, schedule deployment, and verify the new certificate works. Many organizations renew at 30 days to be safe. Let's Encrypt certificates can be renewed when 30 days remain.
What is certificate chain monitoring?
Certificate chain monitoring verifies that your server presents the complete chain: your certificate, intermediate certificate(s), and that they connect to a trusted root. Missing intermediates cause errors on some devices even with a valid certificate. Chain monitoring catches this before users do.
Can I monitor SSL certificates for free?
Yes. Many monitoring tools include SSL checks in their free tiers. You can also use command-line tools like OpenSSL for manual checks, though automated monitoring is more reliable. For comprehensive monitoring with alerts and chain validation, a dedicated tool is recommended.
Start Monitoring Your Certificates Today
SSL certificate problems are entirely preventable. You know exactly when certificates expire. The only question is whether you'll be reminded in time to act.
Set up monitoring now—before you have an emergency. List your domains, configure alerts, and sleep better knowing you'll never surprise your users with a security warning.