← All articles
Monitor types · 8 min read

SSL Certificate Monitoring: a Practical Guide for 2026

A glowing padlock icon overlaying a stream of network data.

Expired SSL certificates are the most preventable outage in the industry. The cert was valid yesterday, your monitoring sat quiet, and this morning every browser shows the red warning page. Automatic renewals fail more often than people admit, and a 90-day Let's Encrypt cert leaves a small margin for a missed renewal job. This guide covers how SSL monitoring actually works, what to alert on, and how to keep certificates from biting you.

Why SSL outages keep happening in the age of auto-renewal

Automatic renewal has not solved SSL expiry. It has only changed where the failure happens. The certbot or acme.sh job runs, but the new certificate never gets loaded by nginx because the reload step was disabled. The Kubernetes ingress renews, but the secret never gets propagated to a pod that is still serving the old cert. A multi-domain SAN cert renews, but one of the hostnames was removed from the request and is now serving an expired alternate.

External monitoring catches all of these because it does not trust your internal state. It sees what a real browser sees: the certificate served at the public hostname, on the public port, presented in the live TLS handshake. If the right cert is not being served, the monitor knows, regardless of what your cron logs say.

What an SSL monitor actually checks

A well-built SSL monitor does six things on every probe. Most tools surface a handful of these as alerts, and bury the rest.

  • Days until expiry, the headline metric, surfaced with a configurable warning window.
  • Hostname match, so a cert valid for example.com but served on api.example.com fires immediately.
  • Certificate chain validation, catching missing intermediates that work in some browsers but fail on mobile.
  • Self-signed and untrusted issuer detection for staging environments that accidentally get a real cert.
  • TLS version, so deprecated protocols (TLS 1.0, TLS 1.1) get flagged before browsers drop them entirely.
  • Subject alternative name list, useful for SAN certs that silently lose a hostname during renewal.

How to set warning windows that actually work

A 7-day warning window is too short. A 90-day window produces alert fatigue. The numbers that work in practice are 30 days for the first warning and 7 days for an escalation.

30 days is enough time to discover that your renewal job has been silently failing for weeks, debug the underlying issue, and get a fresh cert deployed without panic. 7 days is the point at which your on-call should be paged regardless of the time of day. If you only get one warning, the late one is more useful, because the early one tends to get acknowledged and forgotten.

Common operational habits that prevent SSL outages

Three habits, in priority order, will keep SSL out of your incident reports.

  • Monitor every public hostname individually. The wildcard cert is not a substitute for monitoring each subdomain that uses it, because anything serving the wrong cert (a misconfigured proxy, a stale CDN cache) will not show up in a wildcard check.
  • Test the renewal path on a schedule. A monthly dry-run that runs renewal in staging is much cheaper than discovering at 90 days that the renewal job has bit-rotted.
  • Wire SSL alerts to the same channel as deployment notifications. SSL bugs almost always trace back to a deploy that changed the cert path, the reload command, or the secret name.

When automation is not enough

Three situations need a human in the loop and no amount of automation removes them.

First, a domain transfer or registrar change. The renewal job authenticates with the old registrar, which silently fails, and the cert lapses. Second, a CDN provider change. The new CDN serves a default cert until you upload yours. Third, multi-region setups where the renewal job runs in one region but the cert needs to be deployed to all of them. SSL monitoring catches all three at the symptom layer (wrong cert served) before the customer does.

Putting it together

Add one SSL monitor for every public hostname you own. Set the warning at 30 days. Route the alert to the same channel where your deploy notifications land. Add a 7-day escalation that pages on-call. Run a renewal dry-run monthly. With those four things in place, SSL stops being a recurring incident type.

Try MonitorAH free

Three monitors, alerts in under a minute, no credit card. Cover one website and one cron job in the time it takes to read this paragraph.

Start monitoring

Related articles

A wall of analog clocks at slightly different times in a modern office.
Monitor types · 8 min read

Cron Job Monitoring with Heartbeats: a Practical Tutorial

How heartbeat monitoring catches the cron jobs that fail silently, with concrete examples in bash, Python, and Node.

A code editor showing API request and response in a dark theme.
Monitor types · 8 min read

How to Monitor a REST API for Uptime and Response Time

What to check in a REST API monitor, the right thresholds, and how to catch the silent failures that ping checks miss.

A world map with glowing lines connecting cities representing global network routes.
Monitor types · 7 min read

How to Monitor DNS Propagation After a Registrar Change

How to monitor DNS records during a migration, what to check, and how to catch the silent partial-propagation failures.