SSL certificate monitoring checks your TLS certificates on a schedule and alerts you before they expire. An expired certificate triggers browser security warnings that block most visitors — monitoring gives you days or weeks of notice to renew.
Certificates expire — typically every 90 days with automated CAs, annually with traditional ones. Monitoring tracks expiry dates across all your domains and subdomains and warns you at 30, 14 and 7 days so renewal never becomes an emergency.
Check your website
See how your site handles ssl certificate monitoring: never be surprised by expiry — free, no account needed.
For business owners
An expired SSL certificate is a full-page browser warning that says your site is not safe. Most visitors will not click through. Certificate monitoring is trivial to set up and prevents one of the most embarrassing, revenue-destroying outages a business can suffer — often caused simply by a forgotten renewal.
How it works (technical)
Monitoring works by:
- Connecting to each hostname on port 443 and reading the presented certificate.
- Extracting the
notAfterexpiry date and issuer. - Alerting at configurable thresholds (30, 14, 7, 1 day).
- Optionally checking that the chain is complete and trusted.
Best practice is automated renewal (ACME/Let's Encrypt with Certbot or your host's auto-renew) plus monitoring as a safety net — automation can fail silently if DNS, firewall or validation changes.
Real-world example
A company relied on manual annual renewal. The responsible engineer left and nobody updated the calendar. Certificate monitoring emailed the team 14 days before expiry; they renewed in ten minutes. Without the alert the site would have shown security warnings to every visitor on expiry day.
Why it matters
Certificate expiry is a common, preventable outage. Scanners flag certificates expiring within 14 and 30 days; continuous monitoring ensures you never depend on remembering to check.
How to fix it
Enable automated certificate renewal (ACME) for every public hostname.
Add certificate expiry monitoring as a backup safety net.
Set alerts at 30, 14 and 7 days before expiry.
Monitor every subdomain, not just the apex — wildcards and subdomains expire too.
Document who receives alerts and who is responsible for renewal.
Best practices
Automate renewal and monitor as a belt-and-braces fallback.
Track all hostnames including staging if they are public.
Verify the full chain is served, not just that the certificate exists.
Common mistakes
Assuming auto-renew always works without monitoring it.
Monitoring only the main domain while subdomains expire unnoticed.
Setting a single alert the day before expiry — too late to fix calmly.
Frequently asked questions
How long before expiry should I get alerted?
At least 30 days for manual renewals, 14 and 7 days as backups. With 90-day Let's Encrypt certs, weekly monitoring catches problems early even if auto-renew fails.
Do I still need monitoring if I use Let's Encrypt auto-renew?
Yes. Auto-renew can fail due to DNS changes, firewall blocks or validation errors. Monitoring catches those failures before visitors see warnings.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free