NoDown
Get started
All posts

SSL Certificate Monitoring: How to Never Let a Certificate Expire

Martin
ssl certificate monitoring

SSL Certificate Monitoring: How to Never Let a Certificate Expire

An expired SSL certificate does not degrade your service. It takes it offline completely.

Every major browser - Chrome, Safari, Firefox, Edge - blocks access to sites with an expired certificate and displays a full-screen security warning. Users cannot click through it. Search engines de-index pages served over broken HTTPS. API clients receive SSL handshake errors and stop working entirely. The outage is immediate and total the moment the clock ticks past the expiry timestamp.

The frustrating part: certificate expiry is entirely preventable. The expiry date is known months in advance. The only reason certificates expire in production is that nobody was watching.

What happens when an SSL certificate expires

When a browser connects to your site, it checks the certificate before rendering a single byte of content. It verifies that the certificate is issued by a trusted authority, that it covers the domain being accessed, and that the current date falls within the certificate's validity window. If any of these checks fail, the connection is refused.

For a user, the experience is a red warning screen with language designed to communicate danger. Most users stop there. They do not look for an alternative URL. They do not contact support. They leave, and they do not come back until someone tells them the site is safe again.

For developers and API consumers, an expired certificate produces SSL handshake errors that break integrations immediately. Depending on how the client handles errors, this might surface as a connection timeout, an SSL verification error, or a generic failure that takes time to trace back to the certificate.

For search engines, HTTPS errors affect crawlability. Pages that were indexed can be temporarily removed from search results until the certificate is restored.

The average time to resolve an expired certificate in production - including detecting the issue, locating the certificate, renewing it, and deploying it - is 2 to 4 hours. That is 2 to 4 hours of a complete outage that was visible on a calendar weeks in advance.

Why certificates still expire in production

Auto-renewal covers most cases. Let's Encrypt with Certbot, AWS Certificate Manager, Cloudflare's managed certificates - these handle renewal automatically and are the right choice for any certificate they support.

But auto-renewal breaks silently. The renewal process depends on DNS configuration, server permissions, rate limits, and external services staying operational. Any of these can fail without sending an alert. The renewal job runs, fails quietly, and nobody notices until the certificate is 3 days from expiry - or already expired.

Beyond Let's Encrypt, many production environments still use paid certificates from commercial CAs, wildcard certificates, or certificates for subdomains managed separately from the main domain. These are often renewed manually on a calendar reminder that gets missed when the person who set it up leaves the team.

SSL certificate monitoring solves this by checking the expiry date continuously and alerting your team with enough lead time to renew without pressure.

How SSL certificate monitoring works

An SSL monitor connects to your domain over HTTPS and inspects the certificate returned by the server. It reads the Not After field - the expiry timestamp - and calculates how many days remain until that date.

The monitor runs on a schedule, typically once per hour or once per day for expiry checks. When the remaining validity drops below a threshold you configure, an alert fires.

A complete SSL check also validates:

Domain coverage. The certificate must be valid for the domain being accessed. A certificate issued for www.yourdomain.com does not cover api.yourdomain.com. A wildcard certificate for *.yourdomain.com covers subdomains but not the apex domain yourdomain.com unless explicitly included. Mismatches produce the same browser error as an expired certificate.

Certificate chain validity. A certificate is only trusted if the full chain - from your certificate up through intermediate CAs to a root CA trusted by browsers - is valid and correctly configured. Misconfigured chains produce SSL errors on some clients even when the certificate itself is valid.

Certificate authority trust. If the issuing CA is revoked or removed from browser trust stores, your certificate becomes invalid immediately regardless of its expiry date. This is rare but has happened with major CAs.

Alert thresholds: when to notify your team

The right alert strategy is layered. A single alert 7 days before expiry leaves no room for delays if the renewal process runs into problems.

30 days before expiry. First alert. Plenty of time to renew without urgency. This is the right time to initiate renewal for any certificate that requires a manual process - ordering from a CA, generating a CSR, waiting for validation.

14 days before expiry. Second alert. If the 30-day alert was handled, this is a confirmation. If the 30-day alert was missed or the renewal stalled, 14 days is still comfortable. Escalate to a wider audience if the first alert went unacknowledged.

7 days before expiry. Urgent alert. Escalate to the on-call engineer and any relevant stakeholders. At this point, renewal should be in progress or already completed. If not, it becomes the immediate priority.

3 days or fewer. Critical. Something has gone wrong with the renewal process. Treat this as an active incident, not a reminder. Pull in whoever owns the certificate and the infrastructure it is deployed on.

Some teams also configure a post-expiry check - a monitor that fires immediately if a certificate has already expired when the check runs. This catches certificates that were missed entirely and are already causing outages.

Setting up SSL certificate monitoring on Nodown

Nodown includes SSL monitoring as a native check type - not an add-on, and not restricted to higher plans.

Creating an SSL monitor:

  1. Go to Monitors in your dashboard and click New Monitor.
  2. Select SSL Certificate as the monitor type.
  3. Enter your domain - yourdomain.com, api.yourdomain.com, or any subdomain you want to watch.
  4. Set your alert thresholds. Nodown sends alerts at 30, 14, and 7 days by default. You can customize these or add additional thresholds.
  5. Select your alert channels - Slack, email, PagerDuty, or any other integration you have configured.

Nodown runs the SSL check independently from your HTTP uptime checks. An SSL monitor can alert you that a certificate expires in 12 days while your uptime monitor shows the site as fully operational. These are separate signals and both matter.

What Nodown checks:

  • Days remaining until expiry, compared to your configured thresholds
  • Certificate validity for the exact domain you entered
  • Certificate chain integrity
  • Whether the certificate is already expired at check time

If you have multiple subdomains - app.yourdomain.com, api.yourdomain.com, status.yourdomain.com - create a separate SSL monitor for each. Wildcard certificates cover subdomains in bulk, but they are deployed per-subdomain and any one of them can have a misconfigured chain or a different expiry date.

SSL monitoring as part of a broader monitoring setup

An expired certificate produces the same user-facing result as a server outage: the service is unreachable. It belongs in the same monitoring strategy as uptime checks, not as an afterthought.

A complete monitoring setup for any production SaaS covers:

  • HTTP uptime checks on each critical endpoint
  • SSL certificate monitoring on every domain and subdomain serving HTTPS traffic
  • Response time thresholds to catch degraded performance before it becomes a full outage
  • Domain expiry monitoring for the domain registration itself - a lapsed domain registration produces the same result as an expired certificate

Nodown's monitoring covers all of these from a single dashboard. SSL, HTTP, port, and domain checks feed into the same alert routing and status page. When something breaks, your team gets one alert with full context, not separate notifications from four different tools.

Start monitoring your SSL certificates free on Nodown

Last updated: May 2026.