Skip to main content

Adjusting Certificate Monitoring Alert Settings

Notification settings in monitoring profiles control which types of certificate issues generate alerts. This allows you to focus on the errors that matter most to your environment and reduce alert fatigue from expected conditions.

Notification Options

Navigate to Certificate Monitoring ➡️ Manage ➡️ Profiles and edit a profile to access the Notification Settings section. Each setting can be independently enabled or disabled:

Alert when we reach your defined expiration thresholds triggers notifications based on the day values configured in the profile. This is typically the most important alert type and should remain enabled unless you have alternative expiration monitoring. See adjusting alert thresholds for threshold configuration.

Alert on name verification failures notifies you when the certificate's Common Name or Subject Alternative Names don't match the hostname being monitored. Disable this for services where hostname mismatches are expected, such as development environments or when monitoring by IP address.

Alert on CA verification failures triggers when the certificate chain cannot be validated or uses an untrusted Certificate Authority. Disable this when monitoring services with known self-signed certificates or when using private CAs that aren't configured in the profile's Private CA settings.

Alert on integrity / configuration failures covers various certificate and server configuration issues including incomplete certificate chains, missing intermediate certificates, or improper certificate installation. Keep enabled for production services.

Alert on connection failures notifies you when the system cannot establish a connection to the monitored service. This might indicate network issues, firewall rules, or service downtime. Disable for intermittently available services or maintenance windows.

Alert on missing / misconfigured DNS CAA records triggers when DNS CAA records are absent or improperly configured. CAA records specify which Certificate Authorities can issue certificates for your domain. Disable for internal services or when CAA records aren't applicable to your infrastructure.

Alert on certificate changes notifies you when the SHA-256 fingerprint of the leaf certificate differs from the previously recorded fingerprint. This detects unexpected certificate replacements outside of normal renewal cycles.

Alert when certificate flapping is detected triggers once when three or more fingerprint changes are observed within a rolling one-hour window. This typically indicates that different CDN or load-balancer nodes are serving different certificates — a misconfiguration that causes repeated spurious change alerts and can mask expiry issues. A second notification is sent automatically when the fingerprint becomes stable again for a full hour. Disable this if you intentionally run nodes with different certificates.

Customizing for Different Environments

Production profiles typically enable all alert types to catch any potential issues. Staging or development profiles might disable name verification and CA verification alerts if using self-signed certificates or non-standard hostnames. Internal service profiles might disable DNS CAA alerts for services not exposed to the public internet.

Profile changes immediately apply to all monitors using that profile. Consider creating separate profiles for different service tiers or environments rather than frequently modifying notification settings on production profiles. See best practices for profile strategy recommendations.