SSL Certificate Monitoring Guide

Why SSL Certificates Expire

Every SSL/TLS certificate has a built-in expiration date. This is not a design flaw. It is a security mechanism.

Certificates bind a domain name to a cryptographic key. If that key is compromised, the certificate needs to be revoked. But revocation checking is unreliable: browsers do not always check certificate revocation lists (CRLs) or OCSP responders, and when they do, the checks can be slow or fail silently. Short-lived certificates reduce the window during which a compromised key can be exploited.

The industry has been pushing certificate lifetimes shorter over the years. In 2015, certificates could last five years. By 2018, the maximum was two years. Today, most paid certificates max out at one year (398 days), and Let's Encrypt certificates expire every 90 days.

Shorter lifetimes are better for security. They are worse for operations teams that forget to renew.

What Happens When Your SSL Certificate Expires

When a certificate expires, browsers do not show a subtle warning. They show a full-page security error that blocks the user from proceeding.

In Chrome, visitors see "Your connection is not private" with error code NET::ERR_CERT_DATE_INVALID. In Firefox, it is "Warning: Potential Security Risk Ahead." Safari shows a similar blocking page. In all cases, the browser actively prevents the user from reaching your site.

The consequences cascade:

Immediate traffic loss. Most users will not click through a security warning. They will close the tab and go to a competitor.
SEO impact. If Googlebot encounters an SSL error during a crawl, it may deindex pages or drop your rankings. Google uses HTTPS as a ranking signal, and an invalid certificate undermines it.
Broken integrations. API clients that verify SSL (which they should) will refuse to connect. Webhooks will fail. Payment processors will reject requests. Your site might be "up" while critical functionality is completely broken.
Trust erosion. Users who see a security warning associate it with being hacked. Even after you fix it, some will hesitate to enter payment information on your site again.

An expired SSL certificate is not a minor inconvenience. It is a full-site outage for all practical purposes. Browsers will block access, APIs will fail, and search engines will penalize you.

The Let's Encrypt 90-Day Cycle

Let's Encrypt transformed SSL by making certificates free and automatable. It also created a new class of operational risk.

With a 90-day certificate lifetime and a recommendation to renew at 60 days, Let's Encrypt expects you to automate renewal via ACME clients like Certbot. When automation works, it is seamless. You never think about SSL because certificates renew themselves.

When automation breaks, you have 30 days of buffer before the certificate expires. That sounds like a lot. In practice, here is what happens:

Your certbot cron job fails silently because a server update changed the webroot path.
Nothing alerts you because you do not have certificate monitoring.
Thirty days later, the certificate expires on a Friday evening.
You discover it Monday morning when a customer emails you.

This is not a hypothetical scenario. It happens constantly, even to experienced teams. Let's Encrypt's own data shows millions of certificates expiring without renewal each month.

The failure modes for auto-renewal are numerous:

Web server configuration changes that break the ACME challenge verification.
File permission issues that prevent the ACME client from writing renewal files.
DNS changes that break DNS-01 challenges.
Server migrations where the ACME client is not reinstalled or configured.
Containerized deployments where the renewal process is not part of the container lifecycle.
Load balancer configurations that do not pass through ACME challenge requests to the renewal client.

Auto-renewal is your first line of defense. SSL monitoring is your second.

How SSL Certificate Monitoring Works

SSL monitoring connects to your server on port 443, performs a TLS handshake, and inspects the certificate that your server presents. It checks several things:

Expiration Date

The most critical check. How many days until the certificate expires? Monitoring tools alert you at configurable thresholds, typically at 30, 14, and 7 days before expiry, giving you time to investigate and fix renewal issues.

Certificate Chain Validity

A valid SSL certificate requires a complete chain from your server certificate through intermediate certificates up to a trusted root certificate authority. Missing intermediates cause errors in some browsers but not others, making these issues notoriously hard to catch without automated testing.

Domain Match

The certificate's Common Name (CN) or Subject Alternative Names (SANs) must match the domain being served. A wildcard certificate for *.example.com covers app.example.com but not example.com itself. Monitoring catches mismatches that would trigger browser warnings.

Protocol and Cipher Strength

Some monitoring tools also check that your server supports current TLS protocol versions and uses strong cipher suites. Servers still using TLS 1.0 or weak ciphers may be vulnerable to known attacks.

Certificate Authority Trust

Verifies that the certificate was issued by a trusted CA. If your CA is distrusted (as happened with Symantec in 2018), monitoring catches this before browsers start rejecting your certificate.

Never Miss an SSL Expiry Again

Site Watcher monitors SSL certificates alongside uptime, domain, DNS, and vendor dependencies. Alerts at 30, 14, and 7 days before expiry. Free for 3 targets.

Certificate Chain Issues: The Hidden Failure Mode

Certificate chain problems are the most insidious SSL issue because they do not affect all users equally.

Your SSL certificate is part of a chain of trust. Your server certificate is signed by an intermediate certificate, which is signed by a root certificate that browsers trust inherently. Your server needs to send the complete chain (server certificate plus intermediates) during the TLS handshake.

When the intermediate certificate is missing from your server configuration:

Desktop Chrome and Firefox might still work because they can fetch missing intermediates automatically (a process called AIA fetching).
Mobile Safari and older Android browsers will show a certificate error because they do not fetch missing intermediates.
API clients and curl will fail with a certificate verification error.
Automated tools and bots including Googlebot may report SSL errors.

You end up in a situation where your site works fine in your browser but is broken for a significant subset of your users. Manual testing does not catch this reliably because your browser is doing AIA fetching behind the scenes.

SSL monitoring tools that validate the full certificate chain catch this issue immediately.

After installing or renewing a certificate, always verify the full chain. SSL monitoring does this automatically on every check, catching chain issues that manual testing misses due to browser AIA fetching.

Setting Up SSL Certificate Monitoring

Here is a practical setup that covers the common failure modes.

Inventory All Certificates

List every domain and subdomain your organization uses. Do not forget: API subdomains, staging environments, email servers (for STARTTLS), internal tools behind a VPN, and CDN-served assets. Each one has its own certificate or is covered by a wildcard, and each needs monitoring.

Set Multi-Stage Alert Thresholds

Configure alerts at three stages: 30 days (early warning, investigate renewal), 14 days (action required, fix renewal if broken), and 7 days (emergency, manual renewal needed). The 30-day alert gives you time to investigate without urgency. The 7-day alert is your last safety net.

Route Alerts to the Right People

SSL renewal typically falls to DevOps or infrastructure teams, not frontend developers. Route SSL alerts to the people who have server access and can run certbot or update certificates in your hosting provider's dashboard. Include a secondary contact for escalation.

Document Your Renewal Process

For each certificate, document how it is renewed. Is it auto-renewed via Certbot? Is it a paid certificate managed through your registrar? Is it provisioned by your CDN? When a 30-day alert fires, the person responding needs to know where to look and what to do.

Test After Every Change

After renewing a certificate, migrating a server, or changing your web server configuration, verify that the certificate chain is valid and the correct certificate is being served. SSL monitoring does this automatically, but a manual check immediately after changes catches issues faster than waiting for the next scheduled check.

Multi-Domain and Wildcard Certificate Monitoring

Organizations with many subdomains often use wildcard certificates (*.example.com) or multi-domain SAN certificates. These introduce specific monitoring considerations.

Wildcard certificates cover any subdomain at one level but not the apex domain itself. A wildcard for *.example.com covers app.example.com and blog.example.com but not example.com. You need to monitor both the wildcard-covered subdomains and the apex domain separately.

SAN certificates list specific domains in the Subject Alternative Names field. When you add a new subdomain, you need to reissue the certificate with the new SAN entry. Monitoring should verify that each domain listed in the SAN is actually being served with the correct certificate.

Multiple certificates across different servers or services (your web server uses one certificate, your CDN uses another, your email server uses a third) each have independent expiration dates. A unified monitoring dashboard that tracks all of them prevents the scenario where you renew your web certificate but forget about the one on your mail server.

Common SSL Monitoring Mistakes

Monitoring only the primary domain. If app.yourdomain.com has a different certificate from www.yourdomain.com, and you only monitor www, the app subdomain can expire without warning.

Trusting auto-renewal blindly. Auto-renewal reduces the frequency of SSL failures. It does not eliminate them. Monitoring is the verification layer that confirms renewal actually happened.

Not monitoring internal services. Internal tools behind a VPN still need valid SSL if they handle sensitive data or if your team uses them daily. An expired certificate on an internal dashboard is still disruptive.

Ignoring certificate chain warnings. Some monitoring tools report chain issues as warnings rather than errors. Treat chain issues as critical: they cause real failures for real users on real devices.

Setting alerts too late. A 7-day warning might not be enough if the person responsible is on vacation or if the renewal process requires coordination with a third party. Start with 30-day alerts.

SSL Monitoring and Compliance

For organizations subject to PCI DSS, HIPAA, SOC 2, or similar compliance frameworks, SSL monitoring is not optional.

PCI DSS requirement 4.1 mandates strong cryptography for transmitting cardholder data. An expired or misconfigured SSL certificate is a compliance violation. SOC 2's Common Criteria 6.1 requires protection of data in transit, which depends on valid SSL.

SSL monitoring provides the audit trail that demonstrates continuous compliance. Your monitoring logs show that certificates were valid throughout the reporting period, or they show exactly when an issue occurred and how quickly it was resolved.

SSL certificates are the one infrastructure component where "it will probably auto-renew" is never an acceptable monitoring strategy.

SSL Monitoring as Part of the Whole Picture

Site Watcher monitors SSL certificates, uptime, domain expiry, DNS records, and vendor dependencies from one dashboard. $39/mo unlimited. Free for 3 targets.

SSL Certificate Monitoring Guide: Prevent Expiry, Catch Chain Issues, Stay Secure