SSL Certificate Monitoring
SSL / TLS Certificate Monitoring
Dedicated cert checks: expiry alerts at 30, 14, 7, 3, and 1 days, full chain validation on every intermediate, signature-algorithm and key-strength checks, hostname & SAN matching, and before/after change detection so you catch a quietly re-issued cert before browsers do — on HTTPS sites and on any TLS endpoint, including SMTPS, IMAPS, and custom application ports.
Free forever tier. No credit card.
A Chain Is Only as Strong as Its Weakest Link
An expired cert is the obvious failure. The harder-to-spot ones are the ones that fail in specific browsers only: a missing intermediate, a weak signature algorithm, an expired root in a legacy trust store, a hostname that no longer matches a Subject Alternative Name. StatusDrift inspects the whole chain on every check, not just the leaf.
- Expiry alerts at 30, 14, 7, 3, and 1 days — not “we’ll email you the day of”
- Full chain validation — leaf, every intermediate, and trust anchor. Catch the “works in Chrome, breaks in Java” cert misconfiguration
- Hostname & SAN matching — alert when the cert no longer covers the domain it’s served on
- Signature algorithm checks — flag SHA-1 or other deprecated algorithms browsers have started rejecting
- Key strength — catch weak keys (<2048-bit RSA, uncommon curves) that compliance audits will later ask about
- Certificate change detection — know when a cert is re-issued unexpectedly, with a before/after diff of issuer, SANs, and validity dates
What StatusDrift Validates on Every Check
Expiration window
Not-before and not-after dates, days remaining, and a rolling alert schedule at 30, 14, 7, 3, and 1 days so renewal slippage gets escalated rather than ignored.
Chain integrity
Leaf, intermediates, and trust anchor all present and valid. The “works on my browser, fails in curl” intermediate-missing bug gets caught immediately.
Hostname match
CN and SAN entries checked against the host being monitored. A renewed cert that quietly dropped a SAN is surfaced before the affected subdomain breaks.
Signature algorithm
SHA-1 and other deprecated algorithms that modern browsers have stopped trusting are flagged — before a compliance audit (or a customer) finds them.
Change detection
Every time the cert changes (renewal, server swap, unexpected re-issue) StatusDrift records the before/after — issuer, fingerprint, validity, SANs — so you can tell a routine renewal from a surprise.
Port & hostname flexibility
Monitor certs on non-standard ports — SMTPS (465), IMAPS (993), custom app ports — not just 443. Any TLS endpoint is fair game.
Why Cert Failures Cost More Than Downtime
An expired cert isn’t a 500 error a user can refresh past. It’s a full-screen browser warning that makes your site look compromised. Customers click away; integrations break; API clients throw exceptions that get investigated in a different codebase by a team that doesn’t yet know you forgot to renew.
- Browser security warnings — most visitors leave rather than click through “Your connection is not private”
- API integrations fail — strict TLS clients reject the cert silently and your partner’s ETL quietly drops records
- Search and marketing impact — crawlers may deprioritize an endpoint that served a bad cert, and paid ad landing pages get disapproved
- Compliance exposure — a weak algorithm flagged in a quarterly audit is a much worse conversation than fixing it proactively
HTTPS monitors aren’t a substitute
An HTTPS monitor will fail the check if the TLS handshake fails — so a fully expired or broken cert will eventually open an incident. But by then the outage is already live. A dedicated SSL monitor gives you the whole cert-inspection surface before that happens:
- Advance-warning expiry alerts at 30, 14, 7, 3, and 1 days — not “we’ll break on Tuesday”
- Full chain inspection including every intermediate, not just whether the handshake completed
- Signature algorithm and key-strength checks browsers haven’t started rejecting yet
- Before/after change detection so a silent re-issue is caught immediately
- TLS endpoints that aren’t HTTP — SMTPS, IMAPS, custom application ports
Run HTTPS monitors for availability, SSL monitors for the cert itself. They complement; neither replaces the other.
Questions Teams Usually Ask
I use Let’s Encrypt auto-renewal. Do I still need this?
Auto-renewal solves “I remembered to renew.” It doesn’t solve “renewal failed for three weeks because the ACME challenge endpoint was blocked” or “the new cert got issued but the load balancer is still serving the old one.” Cert monitoring catches both — you find out when the cert on the wire is about to expire, not when the renewal job should have run.
Can I monitor certs on internal hosts?
Two options. If the TLS port can be reached from the public internet (narrowly allowlisted to our check IPs), external probes inspect the cert the same way as a public endpoint. For fully air-gapped networks with no inbound exposure at all, install the StatusDrift agent inside your network — it reads the cert locally on each check and reports the result back over an outbound connection, so nothing new has to be exposed.
Does it catch mixed content?
Yes — mixed-content scanning is included on HTTPS website monitors. Whenever a page is served over HTTPS but embeds HTTP assets (scripts, stylesheets, images, iframes), StatusDrift flags the resources that would trigger a browser mixed-content warning. SSL monitors focus on the certificate and TLS handshake specifically; the mixed-content check lives on the HTTPS page check that renders the response.
When do expiry alerts start firing?
At 30 days out, then 14, 7, 3, and 1 day. Each is a separate alert — if you muted the 30-day one while you were on vacation, the 14-day still comes through. Configure which channel gets each alert per monitor.
How often is a cert re-checked?
Paid monitors check at a 30-second cadence; free monitors every 5 minutes. In practice, the certificate on the wire doesn’t change between checks, but frequent checks mean you see a change (or a chain failure) seconds after it happens, not hours later.
Can I manage cert monitors in Terraform?
Yes — the StatusDrift Terraform provider covers SSL monitors alongside every other monitor type. Declare the host, port, and alert contacts and ship it in the same PR as the infrastructure that serves the cert.
Pairs Well With
Domain Monitoring
Expired domain, expired cert — same category of “quietly lapsed payment” outages. Monitor both.
Website Monitoring
HTTPS uptime checks will flag a broken handshake after it’s happened. Run them alongside a dedicated SSL monitor to get both availability and advance-warning cert coverage.
DNS Monitoring
A silently-changed A record can point your hostname at a server with the wrong cert. DNS monitoring catches the upstream change.
Never Be Surprised by a Cert Expiry
Five expiry warnings, full chain validation, change detection. Free forever tier.