Question 1

What types of certificates can you monitor?

Accepted Answer

We monitor any SSL/TLS certificate accessible over the network, including certificates from all major CAs (Let's Encrypt, DigiCert, Comodo, GlobalSign, etc.), self-signed certificates, wildcard certificates, and multi-domain SAN certificates. Supports direct TLS on any port, plus STARTTLS for mail (SMTP, IMAP, POP3, LMTP), directory (LDAP), and file transfer (FTP) protocols.

Question 2

What happens when a certificate is about to expire?

Accepted Answer

We send alerts at fully configurable thresholds, anywhere between 0 and 90 days before expiration. Each alert includes certificate details, expiration date, and recommended actions, delivered via email, Slack, SMS, webhooks, and many other channels.

Question 3

Do you check the full certificate chain?

Accepted Answer

Yes. We validate the complete chain from the leaf certificate through all intermediates to the root CA. Expired or missing intermediate certificates cause the same browser warnings as an expired leaf certificate, so we alert on any chain issue, not just the end certificate.

Question 4

Can I monitor internal/private certificates?

Accepted Answer

Yes. Deploy on-premise monitoring agents within the network to track internal certificates, private CA infrastructure, and self-signed certificates. Agents run as lightweight Docker containers and check certificates without exposing internal networks.

Question 5

What certificate details do you track?

Accepted Answer

Tracks certificate details including: issuer and subject information, validity period (not before/not after dates), Subject Alternative Names (SANs), key type and size, signature algorithm, serial number, and certificate chain. Validation checks cover expiration, chain integrity, hostname matching, CA trust, revocation status, and cryptographic algorithm strength.

Question 6

Can I monitor certificates on non-standard ports?

Accepted Answer

Yes. Monitors certificates on any port, including STARTTLS connections for protocols that upgrade to TLS mid-connection. Supported STARTTLS protocols: SMTP (25), IMAP (143), POP3 (110), LMTP (24), FTP (21), and LDAP (389). Also supports implicit TLS variants: SMTPS (465), IMAPS (993), POP3S (995), FTPS (990), and LDAPS (636).

Question 7

Do you support Let's Encrypt and automated certificate provisioning?

Accepted Answer

Yes, and monitoring is especially valuable here. Let's Encrypt and other ACME-based systems renew automatically, but renewal failures are silent: a misconfigured renewal job, a failed DNS challenge, or a changed server can leave an expired certificate in place with no indication anything went wrong. Certificate Monitoring catches this by verifying the certificate itself, not just assuming the renewal process ran.

Question 8

What else can trigger an alert besides expiration?

Accepted Answer

Certificate Monitoring supports 8 independently configurable alert types: expiration thresholds, hostname verification failures, CA trust failures, chain integrity failures, connection failures, missing or misconfigured DNS CAA records, certificate fingerprint changes, and certificate flapping. Each alert type can be enabled or disabled per monitoring profile.

Question 9

How do I manage different alert settings for different environments?

Accepted Answer

Monitoring Profiles let you group hosts with shared settings. A profile defines the alert thresholds, alert types, private CA assignments, and monitoring agent routing for all hosts assigned to it. Profile changes apply immediately to all hosts using that profile.

Question 10

Can I integrate certificate monitoring with my CI/CD pipeline?

Accepted Answer

Yes. The API integrates certificate monitoring into deployment pipelines. Verify certificates are valid after deployments, add new domains automatically when deploying new services, and receive webhook notifications that trigger automated responses. Includes a GitHub Action for easy integration with GitHub workflows.

SSL Certificate Monitoring FAQ

What types of certificates can you monitor?

What happens when a certificate is about to expire?

Do you check the full certificate chain?

Can I monitor internal or private certificates?

Can I monitor certificates on non-standard ports?

Do you support Let's Encrypt and ACME-based renewals?

What else can trigger an alert besides expiration?

How do I manage different alert settings for different environments?

Can I integrate certificate monitoring with my CI/CD pipeline?

How does Generator Labs compare to UptimeRobot or TrackSSL?

Still Have Questions?