SSL / TLS Monitoring

Never let a certificate expire unexpectedly.

An expired TLS certificate takes your website offline for every visitor within seconds. SSL monitoring continuously verifies your certificates — expiry dates, chain validity, cipher strength, and revocation status — and alerts your team weeks before any issue becomes an emergency.

Why SSL certificate failures still happen

Certificate expiration is one of the most preventable causes of website outages — yet it happens constantly, to organizations of every size. The reason is simple: certificate management is easy to forget. An annual renewal reminder arrives, gets buried in an inbox, or is assigned to someone who has since left the organization. Ninety days later, the certificate expires at 3 AM, and every visitor to your site sees a browser security warning before your team knows anything is wrong.

Modern certificates issued by Let's Encrypt and other automated CAs have reduced some of this risk, but automation introduces its own failure modes. An ACME renewal script that silently fails, a DNS challenge that stops resolving correctly, or a server that stops accepting renewed certificates — all result in the same outcome: an expired certificate causing a live outage.

SSL monitoring provides a continuous safety net. Rather than relying on a single renewal reminder, it checks your certificates regularly, surfaces problems well in advance, and validates the full chain — not just the expiry date. When auto-renewal breaks, monitoring catches it before visitors do.

The business cost compounds quickly. An outage during a sales promotion or product launch costs revenue directly, while the browser security warning itself damages trust with every visitor who sees it — long after the certificate is renewed. If the affected service is covered by a customer SLA, an avoidable certificate lapse can trigger service credits or contract penalties that a five-minute renewal would have prevented entirely.

What NetTests SSL monitoring checks

NetTests connects to your HTTPS endpoints over TLS and performs a comprehensive inspection on every scheduled check. This includes validating the certificate chain from your end-entity certificate up through any intermediate CAs to a trusted root, confirming the certificate has not been revoked via OCSP, measuring the days remaining until expiration, and verifying that the hostname matches the certificate's Subject Alternative Names.

The check also evaluates the TLS configuration itself: which protocol versions are offered (TLS 1.2, TLS 1.3), which cipher suites are supported, and whether known-weak configurations are present. A certificate that is technically valid but uses deprecated ciphers represents a security risk that certificate expiry monitoring alone would not catch.

Alerts are dispatched on a configurable schedule — for example, 30 days before expiry, then again at 14 days, 7 days, and 1 day. You choose the thresholds. If a certificate changes unexpectedly — different issuer, different SANs — NetTests flags the change on the next check, giving you early warning of a potential misconfiguration or certificate substitution.

Alerts reach your team through email, Slack, Microsoft Teams, or SMS — pick one channel or several, per monitor. The dashboard lists every certificate you track sorted by days remaining, so the most urgent renewal always sits at the top. Click into any certificate to see its full chain, cipher suite, and OCSP status alongside a history of every previous check — useful when comparing today's configuration against what was deployed before a renewal.

Key features

Expiry countdown alerts

Receive staged warnings at 30, 14, 7, and 1 day before expiration — enough lead time for any renewal process.

Full chain validation

Validate the complete certificate chain from end-entity through intermediate CAs to a trusted root.

OCSP revocation check

Verify that certificates have not been revoked by querying the issuer's Online Certificate Status Protocol endpoint.

TLS protocol and cipher audit

Identify deprecated TLS versions and weak cipher suites that could expose your users to downgrade attacks.

SAN / hostname verification

Confirm that the certificate covers the correct hostnames, including wildcards and multi-domain SANs.

Change detection

Alert when a certificate changes issuer, serial number, or SANs — catching misconfigurations and unauthorized replacements.

Multi-domain coverage

Monitor every domain and subdomain you manage from a single dashboard — no more spreadsheet-based certificate tracking.

Auto-renewal validation

Verify that Let's Encrypt and other automated renewal systems are working correctly — catch silent failures before expiry.

What you'll see

A live look at certificate expiry across your domains, and the alert that fires as one approaches its threshold.

Certificate Monitor — acme.com DOMAIN ISSUER EXPIRES IN acme.com Let's Encrypt 64 days api.acme.com Let's Encrypt 64 days checkout.acme.com DigiCert 6 days mail.acme.com Let's Encrypt 41 days Alert sent — checkout.acme.com expires in 6 days
Example monitor — illustrative data

Not ready to commit?

Try the free Certificate Transparency search first. Find every certificate issued for your domain — including ones you didn't request — then set up continuous monitoring when you're ready.

Try the free tool →

Free SSL diagnostic tools

Run a one-off SSL check now, or set up continuous monitoring.

Frequently asked questions

How early should I be alerted before a certificate expires?

For most organizations, 30 days provides ample time to renew even a manually managed certificate. If your renewal process involves a CA approval workflow, internal ticket system, or multiple stakeholders, 45–60 days is safer. Automated renewal systems (Let's Encrypt, ACM) typically attempt renewal 30 days before expiry — monitoring at that threshold confirms the automation is working as expected.

What is OCSP and why does it matter?

The Online Certificate Status Protocol (OCSP) allows browsers and clients to verify in real time whether a certificate has been revoked by its issuer. If a certificate is compromised or mistakenly issued, the CA can revoke it — but that revocation only protects users if their client checks OCSP. OCSP stapling, where the server pre-fetches and caches the OCSP response, improves performance and reliability. NetTests checks both that OCSP is functional and that stapling is configured correctly where supported.

What is a certificate chain and why does it need to be valid?

A TLS certificate chain connects your end-entity certificate to a trusted root CA through one or more intermediate certificates. Browsers and clients verify this chain before trusting your certificate. An incomplete or incorrectly ordered chain causes TLS errors even when your certificate itself is valid and not expired. This is a common misconfiguration after certificate renewals, particularly when the intermediate certificate changes.

What TLS versions should I support?

TLS 1.2 and TLS 1.3 are the only versions that should be enabled on public services. TLS 1.0 and TLS 1.1 have been deprecated by the IETF and disabled by all major browsers. Supporting them provides no real compatibility benefit while exposing users to known protocol weaknesses. NetTests flags servers that still offer TLS 1.0 or 1.1 as a configuration warning.

What is certificate transparency and how does it help?

Certificate Transparency (CT) is a framework that requires CAs to log all issued certificates to public, append-only logs. This makes it possible to discover every certificate issued for your domains — including certificates you didn't request. Monitoring CT logs helps detect unauthorized certificate issuance, which may indicate a domain hijacking attempt or a CA misconfiguration. NetTests integrates with crt.sh to surface unexpected certificates for your domains.

How does SSL monitoring work with wildcard certificates?

Wildcard certificates (e.g., *.example.com) cover all first-level subdomains under a domain. NetTests monitors the certificate as presented by each host individually, which means you can track the same wildcard certificate separately on api.example.com, app.example.com, and www.example.com. If the certificate is renewed on one host but not correctly deployed to another, monitoring will catch the discrepancy.

Stop tracking certificates in a spreadsheet

NetTests monitors every certificate you own, alerts you before expiry, and validates your TLS configuration on every check — so expired certificates become a thing of the past.

Start monitoring free →
No credit card required  ·  Free plan available