Certificate Monitoring is now generally available. You can add hosts, configure alert thresholds, and start receiving expiration alerts today.
What It Does
Certificate Monitoring checks your SSL/TLS certificates continuously and alerts you before they expire. Every check goes beyond the expiration date: full chain validation, hostname verification, revocation status, algorithm strength, and DNS CAA record configuration are all validated on each run.
There are 8 independently configurable alert types per monitoring profile:
- Expiration: alerts at up to 10 configurable thresholds, anywhere from 0 to 90 days before expiration
- Chain integrity failures: catches missing or expired intermediate certificates
- Hostname mismatches: flags certificates that do not cover the host they are serving
- CA trust failures: alerts when a certificate cannot be validated to a trusted root
- Revocation: detects certificates pulled by their CA
- Certificate fingerprint changes: tracks renewals and unexpected replacements
- Certificate flapping: multiple fingerprint changes in a short window, often indicating a load balancer misconfiguration
- Missing or misconfigured CAA records: ensures only authorized CAs can issue for your domains
Monitoring Profiles
Monitoring Profiles group hosts with shared settings. Create a Production profile with aggressive thresholds and PagerDuty alerts, a Staging profile with looser thresholds and email-only, and an Internal profile for private CA hosts. Profile changes apply immediately to all assigned hosts.
Internal Certificate Monitoring
External monitoring cannot reach internal services, private CA infrastructure, or self-signed certificates. Deploy a lightweight monitoring agent inside your network as a Docker container. The agent checks internal hosts and reports certificate data to the platform over outbound HTTPS. No inbound firewall rules are required. Private keys never leave your network.
The monitoring agent is open source and available on GitHub.
Every Protocol
Monitors direct TLS on any port, plus STARTTLS for SMTP, IMAP, POP3, LMTP, FTP, and LDAP. Implicit TLS variants (SMTPS, IMAPS, POP3S, FTPS, LDAPS) are also supported.
Pricing
Certificate Monitoring is priced at $0.01 per host per day. There are no contracts, no minimums, and no flat monthly fees. You pay only for active hosts.