SSL / TLS Certificate Monitoring
Monitor SSL certificate expiration with configurable warning thresholds. Never miss an expiring certificate.
Overview
SSL/TLS certificate monitoring ensures your certificates are valid and not approaching expiration. Expired certificates cause browser warnings, failed API connections, and broken trust with your users. upti.my continuously checks your certificates and alerts you well before they expire, giving you time to renew.
Beyond expiration tracking, SSL checks provide comprehensive details about your TLS configuration, including the TLS version, cipher suite, certificate chain, and issuer information. This helps you maintain strong security practices across all your domains.
Configuration
| Parameter | Description | Default |
|---|---|---|
| Host | The hostname to check the SSL certificate for | Required |
| Port | The port to connect to for the TLS handshake | 443 |
| Expiry Warning Days | Number of days before expiration to trigger a warning | 30 |
💡 Warning Threshold
Set your expiry warning days based on your certificate renewal process. If you use automated renewal (e.g., Let's Encrypt with certbot), 14 days may be sufficient. For manual renewal processes, 30 to 60 days gives you adequate time to act.
How It Works
When an SSL health check runs, upti.my performs a TLS handshake with the target host and inspects the presented certificate. The check evaluates:
- Whether the TLS handshake completes successfully
- The full certificate chain from leaf to root
- Certificate validity dates (not before, not after)
- Days remaining until the certificate expires
- Whether the expiry warning threshold has been crossed
Response Data
Each SSL health check execution captures comprehensive certificate and connection data:
| Field | Description |
|---|---|
| TLS Handshake Status | Whether the TLS handshake completed successfully |
| TLS Version | The negotiated TLS protocol version (e.g., TLS 1.2, TLS 1.3) |
| Cipher Suite | The cipher suite used for the connection |
| Certificate Chain Length | Number of certificates in the chain (leaf + intermediates) |
| Subject | The certificate subject (typically the domain name) |
| Issuer | The certificate authority that issued the certificate |
| Serial Number | The unique serial number of the certificate |
| Valid From | The date the certificate became valid |
| Valid Until | The date the certificate expires |
| Days Until Expiry | Number of days remaining before the certificate expires |
| Expiry Warning Flag | Whether the certificate is within the warning threshold |
Example Configuration
{
"host": "example.com",
"port": 443,
"expiry_warning_days": 30,
"timeout_seconds": 10,
"interval_seconds": 3600
}ℹ️ Check Frequency
SSL certificates change infrequently, so checking every hour or every few hours is usually sufficient. More frequent checks are unnecessary and consume monitoring resources without added benefit.
Common Use Cases
- Expiration Prevention - Get alerted days or weeks before certificates expire
- Renewal Verification - Confirm that automated renewals (Let's Encrypt, ACM) are working
- Security Auditing - Track TLS versions and cipher suites across all domains
- Multi-Domain Monitoring - Monitor certificates for all your domains from a single dashboard
- Non-Standard Ports - Monitor TLS on services like SMTPS (465), IMAPS (993), or custom ports
Best Practices
- Set up SSL checks for every domain and subdomain you manage
- Use a warning threshold that matches your renewal workflow (14 days for automated, 30+ for manual)
- Monitor non-standard TLS ports alongside standard HTTPS on port 443
- Review TLS version and cipher suite data regularly to ensure you meet security standards
- Set up alert escalation for critical certificates approaching expiry
⚠️ Certificate Chain Issues
An incomplete certificate chain can cause TLS failures on some clients even if the certificate itself is valid. If the chain length seems shorter than expected, verify that your server is sending all intermediate certificates.