Common questions about Certificate Monitoring answered.
We monitor any SSL/TLS certificate accessible over the network, including certificates from all major CAs (Let's Encrypt, DigiCert, Comodo, GlobalSign, etc.), self-signed certificates, wildcard certificates, and multi-domain SAN certificates. Supports direct TLS on any port, plus STARTTLS for mail (SMTP, IMAP, POP3, LMTP), directory (LDAP), and file transfer (FTP) protocols.
We send alerts at fully configurable thresholds, anywhere between 0 and 90 days before expiration. Each alert includes certificate details, expiration date, and recommended actions, delivered via email, Slack, SMS, webhooks, and many other channels.
Yes. We validate the complete chain from the leaf certificate through all intermediates to the root CA. Expired or missing intermediate certificates cause the same browser warnings as an expired leaf certificate, so we alert on any chain issue, not just the end certificate.
Yes. Deploy on-premise monitoring agents within the network to track internal certificates, private CA infrastructure, and self-signed certificates. Agents run as lightweight Docker containers and check certificates without exposing internal networks. Learn about private network monitoring
Tracks certificate details including: issuer and subject information, validity period (not before/not after dates), Subject Alternative Names (SANs), key type and size, signature algorithm, serial number, and certificate chain. Validation checks cover expiration, chain integrity, hostname matching, CA trust, revocation status, and cryptographic algorithm strength.
Yes. Monitors certificates on any port, including STARTTLS connections for protocols that upgrade to TLS mid-connection. Supported STARTTLS protocols: SMTP (25), IMAP (143), POP3 (110), LMTP (24), FTP (21), and LDAP (389). Also supports implicit TLS variants: SMTPS (465), IMAPS (993), POP3S (995), FTPS (990), and LDAPS (636). Specify the host, port, and protocol when adding a host.
Yes, and monitoring is especially valuable here. Let's Encrypt and other ACME-based systems renew automatically, but renewal failures are silent: a misconfigured renewal job, a failed DNS challenge, or a changed server can leave an expired certificate in place with no indication anything went wrong. Certificate Monitoring catches this by verifying the certificate itself, not just assuming the renewal process ran.
Certificate Monitoring supports 8 independently configurable alert types: expiration thresholds, hostname verification failures, CA trust failures, chain integrity failures, connection failures, missing or misconfigured DNS CAA records, certificate fingerprint changes, and certificate flapping (multiple fingerprint changes within a short window, which often indicates a load balancer misconfiguration). Each alert type can be enabled or disabled per monitoring profile.
Monitoring Profiles let you group hosts with shared settings. A profile defines the alert thresholds, alert types, private CA assignments, and monitoring agent routing for all hosts assigned to it. You might have a "Production" profile with aggressive thresholds and PagerDuty alerts, a "Staging" profile with looser thresholds and email-only alerts, and an "Internal" profile that validates against your private CA. Profile changes apply immediately to all hosts using that profile.
Yes. The API integrates certificate monitoring into deployment pipelines. Verify certificates are valid after deployments, add new domains automatically when deploying new services, and receive webhook notifications that trigger automated responses. Includes a GitHub Action for easy integration with GitHub workflows.
Our support team is ready to help.