Certificate Monitoring

Automated expiry tracking for every certificate you own.

TLS certificates expire. When they do without warning, every visitor sees a browser security error before your team is even aware. Certificate monitoring tracks expiration dates, chain validity, and configuration across all your domains — and alerts you weeks in advance so renewals happen on your schedule, not in an emergency.

The certificate expiry problem hasn't gone away

Certificate expiration is sometimes dismissed as a solved problem now that Let's Encrypt provides free auto-renewing certificates. In practice, certificate-related outages remain common — and not only from expiration. Auto-renewal systems break silently. Certificates are deployed on some servers but not others. Intermediate CA certificates change and break existing chains. Certificates cover the wrong hostnames after a migration. Each scenario produces a TLS error that affects users immediately.

The trend toward shorter certificate lifetimes makes this more critical, not less. The industry is moving toward 90-day certificates, and proposals for 47-day certificates are advancing. More frequent renewals mean more renewal operations — and more opportunities for something to go wrong. Without monitoring, you only discover a renewal failure when the certificate expires.

For organizations managing certificates across dozens of domains, subdomains, load balancers, and CDN configurations, maintaining visibility without automated monitoring is practically impossible. A spreadsheet or calendar reminder system has too many failure modes to be reliable at scale.

How NetTests tracks your certificates

NetTests connects to each monitored hostname over TLS and captures the full certificate chain on every check. It records the expiration date, issuer, serial number, Subject Alternative Names, key size, and signature algorithm for every certificate it observes. This baseline is compared on each subsequent check — any change triggers an alert.

Expiry alerts are staged: you receive notifications at the thresholds you configure — for example, 45, 21, 7, and 1 day before expiration. Each notification includes the certificate's full details so you know exactly which certificate on which host is approaching expiry and who the issuer is.

For organizations using automated certificate management (ACME/Let's Encrypt, AWS ACM, Google Certificate Manager), NetTests provides independent verification that auto-renewal is functioning correctly. If a renewal attempt fails and the certificate stops updating, monitoring will detect the stale expiry date and alert you — days or weeks before the expired certificate causes an outage.

Key features

Staged expiry alerts

Configure notification thresholds — 45, 21, 7, and 1 day — to match your renewal process timeline.

Full chain inspection

Capture and validate the complete certificate chain, including intermediate CA certificates that are commonly misconfigured.

SAN and wildcard tracking

Monitor certificates that cover multiple domains or wildcard entries and verify hostname coverage is correct.

Auto-renewal verification

Independently confirm that Let's Encrypt, AWS ACM, or other automated renewal systems are updating certificates as expected.

Certificate change detection

Alert when a certificate's issuer, serial number, or SANs change unexpectedly — catching misconfigurations and unauthorized replacements.

OCSP revocation monitoring

Check that certificates haven't been revoked by verifying their status against the issuing CA's OCSP responder.

Certificate Transparency integration

Surface certificates issued for your domains that you didn't request — an early warning sign of domain hijacking.

Portfolio dashboard

See every certificate you're tracking in one view, sorted by days until expiry — the clearest possible way to manage certificate risk.

Free certificate diagnostic tools

Inspect any certificate right now — then add it to your monitoring schedule.

Frequently asked questions

How often should certificate monitoring check my certificates?

Daily checks are sufficient for expiry tracking — certificates expire on a fixed date that doesn't change between checks. For change detection (catching an unexpected certificate replacement or misconfiguration), more frequent checks — every few hours — provide faster detection. The right frequency depends on your risk tolerance and how quickly you need to know about unexpected changes.

What happens when a certificate expires?

When a TLS certificate expires, browsers immediately display a security warning to visitors, blocking access to the site unless the user explicitly dismisses the warning. Most users will not dismiss the warning — they will navigate away. For HTTPS-only services, an expired certificate is effectively a complete outage. The impact is immediate and simultaneous for all users, across all browsers.

How does Let's Encrypt auto-renewal work and how can it fail?

Let's Encrypt certificates are renewed by a client such as Certbot or acme.sh running on a schedule — typically a daily cron job or systemd timer. The client attempts renewal when the certificate is within 30 days of expiry. Renewal can fail if: the cron job stops running, the DNS challenge stops resolving correctly, port 80 is blocked for HTTP challenges, rate limits are hit, or the certificate client itself fails to execute properly. None of these failures produce visible errors — they're silent until the certificate expires.

What is a wildcard certificate and how does monitoring work with one?

A wildcard certificate covers all first-level subdomains under a domain — for example, *.example.com covers api.example.com, app.example.com, and www.example.com. NetTests monitors the certificate as presented by each specific hostname individually, which means it can detect cases where the certificate was renewed on some servers but not correctly deployed to others — a common source of inconsistent TLS errors after renewals.

What is the difference between certificate monitoring and SSL monitoring?

The terms are often used interchangeably, but they emphasize different aspects. Certificate monitoring focuses specifically on the certificate lifecycle: expiry dates, issuer details, chain composition, and SAN coverage. SSL/TLS monitoring has a broader scope that also includes the security configuration of the TLS stack: supported protocol versions, cipher suite selection, OCSP stapling, and known vulnerability exposure. NetTests provides both as part of the same monitoring workflow.

Replace your certificate spreadsheet with real monitoring

NetTests tracks every certificate across all your domains, alerts you weeks before expiry, and verifies that auto-renewal is working — so certificate outages are eliminated, not just managed.

Start monitoring free →
No credit card required  ·  Free plan available