Continuous SSL / TLS certificate monitoring with email and webhook alerts. By March 2029, public certs will expire every 47 days. The manual calendar reminder is dead. We watch every certificate; you sleep.
On April 11, 2025, the CA/Browser Forum approved Ballot SC-081v3 — a phased reduction in public TLS certificate maximum validity, codified into the Baseline Requirements every public CA must follow. Here's what changes for you.
For an enterprise with 600 public certificates, the math at 47 days is stark: ~4,660 issuances per year instead of ~600 today. Manual cert management isn't just inefficient by 2029, it's mathematically impossible. Read the full breakdown →
We open a real TLS connection to your host, read the cert chain, and compute days remaining. No third-party scraping, no stale data.
Warning at 30 days (configurable), critical at 7 days (configurable). 24-hour dedupe means no spam if you ignore the first one.
Email goes to your account address. Webhook posts a signed JSON payload to Slack, Discord, PagerDuty, or your own endpoint.
Daily is enough for cert expiry on most workloads. Free checks from every 10 minutes, Starter from 5; Professional unlocks 1-minute intervals if you want.
Renewed a cert? You get a 'recovered' email so you know the monitor caught the rotation and is back to healthy.
Each check records issuer, subject, SAN list, protocol (TLS 1.2 / 1.3), cipher, and SHA-256 fingerprint — for audit, debugging, and trend analysis.
Paste api.example.com (or any hostname:port). We pick TLS port 443 by default.
Defaults are 30 and 7 days. Bump them if your renewal workflow needs more lead time.
Email is on by default. Toggle webhook on and paste your Slack / PagerDuty URL.
The enterprise tools below all do cert monitoring competently — and also a hundred other things you may not need. We do five monitor types well, for the price of a Friday-night takeaway per month.
| Solution | Cert expiry | Setup | Starting price |
|---|---|---|---|
| Trace Warrior | ✓ | Paste hostname | Free for 3 · from $9/mo |
| Solarwinds Cert Monitor | ✓ | Agent + config | $1,800/yr |
| Datadog SSL monitoring | ✓ | Agent + integration | From $23/host/mo |
| Zabbix SSL monitoring | ✓ | Template + DB | Free / hours of setup |
| Manual calendar reminders | — | Spreadsheet | Free / outages |
Every check interval (from 1 minute on Professional, 5 minutes on Starter, 10 minutes on Free), we open a real TLS connection to your host, read the certificate chain, and record the days remaining until expiry. When days remaining crosses your warning threshold (default 30 days) you get a warning alert; when it crosses critical (default 7 days) you get a critical alert. Email and webhook channels both supported.
In April 2025 the CA/Browser Forum unanimously approved Ballot SC-081v3, codifying a phased reduction in public TLS certificate maximum validity: 398 days today, 200 days from March 2026, 100 days from March 2027, and 47 days from March 2029. The aim is to limit damage from key compromise, force regular key rotation, and drive automation across the ecosystem.
ACME-automated certs (Let's Encrypt, ZeroSSL, BuyPass etc.) are already short-lived — 90 days for Let's Encrypt — and rotate automatically. They still need monitoring, though: ACME renewal can fail silently due to DNS changes, rate limits, or webroot misconfiguration. Our monitor catches those failures by watching the actual deployed certificate, not the renewal process.
Defaults are 30 days warning and 7 days critical, which works for most teams. If your renewal workflow needs a longer lead time (manual procurement, change control windows), bump the warning to 45 or 60 days. If you're fully automated, you can drop warning to 14 days. The two thresholds are independent — set them however suits your runbook.
V1 watches days-to-expiry only. We deliberately open the TLS connection with rejectUnauthorized=false so we can read the cert even when the chain is broken — that way we still tell you about expiry. Chain validity and SAN coverage checks are planned for v1.1.x.
Three things: price (3 monitors free forever, paid plans from $9/month vs hundreds/thousands per year), setup time (paste a hostname, done — no agents, no Nagios config), and focus (we do five monitor types well, not 500 features poorly). Same engineers who maintain enterprise stacks use us for the personal / side-project domains they care about.
3 monitors free forever. 15 on Starter, 50 on Professional, unlimited on Enterprise — with a 14-day free trial, no card up front. Cancel any time.
