SSL Certificate Monitoring: Never Let a Cert Expire
Escalating expiry alerts from 90 days out down to the final 24 hours — plus Certificate Transparency monitoring that catches rogue and shadow-IT certs the moment they're issued.
Certificate Status at a Glance
Color-coded status badges, issuer details, and days remaining -- all in one table.
| Domain | Status | Issuer | Expires | Days Left | Last Checked |
|---|---|---|---|---|---|
| acme-corp.com | Valid | Let's Encrypt Authority X3 | Sep 14, 2026 | 160d | 35 min ago |
| api.acme-corp.com | Valid | DigiCert SHA2 EV | Dec 1, 2026 | 238d | 35 min ago |
| staging.acme.io | Expiring | Let's Encrypt Authority X3 | Apr 19, 2026 | 12d | 35 min ago |
| legacy.acme-corp.com | Expired | GeoTrust RSA CA 2018 | Mar 28, 2026 | -10d | 35 min ago |
Valid From
2026-01-19
Valid To
2026-04-19
Domain Match
Yes
Alert Threshold
14 days
Alerts Before the Browser Warning
An expired SSL certificate means browser warnings, lost user trust, and potential SEO penalties. Metric Tower alerts you well before expiry so you can renew on your schedule, not in a crisis.
Instead of a single alert threshold, Metric Tower sends escalating notifications as your cert approaches expiry — first at 90 days (informational), stepping up to 60, 30, 14, 7, 3, and finally 1 day before expiry, with each rung raising the severity from low to critical. Each alert fires exactly once per cert lifecycle and resets automatically when you renew. You can adjust the ladder per monitor or set a team-wide default.
-
Email -- Certificate expiry warnings and chain validation failures delivered to your inbox
-
Slack -- Real-time certificate alerts in your security or ops channel
-
PagerDuty & OpsGenie -- Critical expiry alerts routed through your incident management workflow
-
Webhooks -- Push certificate events to any HTTP endpoint for custom automation
SSL Certificate Expired
5 minutes ago
Certificate for legacy.acme-corp.com expired 10 days ago.
Issuer: GeoTrust RSA CA 2018 | Expired: 2026-03-28
Never Miss an Expiring Certificate
Automated SSL monitoring that catches expiry, chain issues, and protocol weaknesses.
Expiry Warnings
Configurable alert escalation as the cert approaches expiry — default schedule hits at 90, 60, 30, 14, 7, 3, and 1 day, with severity rising at each step. Adjust the schedule per domain or set a team-wide default.
Chain Validation
Verify the full certificate chain from leaf to root CA. Catch missing intermediates, self-signed certs, and domain mismatches automatically.
TLS Configuration
Check protocol versions and cipher suites. Ensure TLS 1.2+ is enforced and weak ciphers are disabled across all your endpoints.
Deep Certificate Visibility
Go beyond expiry dates. Understand the full picture of your TLS posture.
Certificate Expiry
Track expiry dates across all monitored domains with escalating alert severity from 90 days out to the final day. Color-coded status makes it easy to spot which certificates need renewal.
Chain Validation
Verify the certificate chain from your domain certificate through intermediates to the root CA. Catch broken chains that cause browser trust errors.
Protocol Checking
Verify TLS 1.2 and 1.3 enforcement. Get alerted if a server is still accepting deprecated protocol versions like TLS 1.0 or 1.1.
Domain Match
Verify that the certificate Subject Alternative Names (SANs) match the monitored domain. Detect misconfigured certificates serving the wrong hostname.
Issuer Tracking
See which Certificate Authority issued each certificate. Spot unexpected issuer changes that could indicate a compromised CA or man-in-the-middle attack.
On-Demand Checks
Trigger a certificate check for any domain at any time. Verify that a certificate renewal or deployment was successful without waiting for the next scheduled check.
Certificate Change Detection
SHA-256 fingerprint comparison on every check detects certificate reissuance, CA changes, and key rotation -- even when both old and new certificates are valid. Toggle per domain to track planned renewals vs unexpected swaps.
Certificate Transparency Monitoring
Poll public CT logs hourly to catch new certificates for your domains the moment they are issued — including certs from unexpected CAs, certs covering lookalike domains, and unexplained SAN expansion. Supports your certificate inventory tracking goals.
Catch Rogue Certs Before They're Used
Every publicly trusted certificate is logged to the Certificate Transparency (CT) network before it can be used. Metric Tower polls those logs hourly and alerts you when something unexpected appears for your domain — so you find out about rogue, shadow-IT, or mis-issued certs the moment they exist, not after an incident.
-
CAA violations — alert when a cert is issued by a CA not listed in your domain's CAA DNS record. Critical severity.
-
Lookalike domain certs — alert when a cert covers a domain that looks like yours (typosquatting, homoglyphs). High severity.
-
New cert issuance — informational alert whenever any cert is issued for your domain, giving you a complete issuance audit trail.
-
SAN sprawl — alert when a cert covers more Subject Alternative Names than your configured threshold, flagging unexpectedly broad certificates.
CT Log Events — acme-corp.com
CAA Violation
Cert issued by Actalis S.p.A — not in CAA policy
api.acme-corp.com · 2 min ago
Lookalike Domain Cert
Cert issued for acme-c0rp.com
Flagged by lookalike detection · 14 min ago
New Cert Issued
Let's Encrypt · staging.acme-corp.com
1 hour ago
Stop Expired Certificates from Breaking Trust
Track certificate expiry across all your domains with escalating alerts from 90 days out. Validate certificate chains, monitor CT logs for unauthorized issuance, and catch misconfigurations before they cause browser warnings or outages. Chain validation, issuer tracking, protocol analysis, and CT log monitoring — all included with your Metric Tower account.