Skip to main content

Getting Started with Certificate Monitoring

This guide walks you through setting up your first certificate monitor and understanding the results. You'll learn how to monitor a service, view certificate reports, and configure alerts.

What You'll Accomplish

By the end of this guide, you'll have:

  • Created your first certificate monitor
  • Viewed a detailed certificate report
  • Reviewed the certificate chain validation
  • Configured alert notifications

Prerequisites

You'll need an active Generator Labs account with certificate monitoring enabled. If you haven't signed up yet, visit the Certificate Monitoring pricing page to get started.

Step 1: Verify Your Contact Groups

Before creating monitors, ensure you have contact groups configured to receive alerts. Navigate to Contacts ➡️ Manage ➡️ Groups. Every new account includes a Default Contacts group with your account email address.

To add additional contacts or create new contact groups, click Add Contact or Add Contact Group. You can configure email, SMS, Slack, and other notification methods. For now, the Default Contacts group is sufficient to get started.

Step 2: Create Your First Monitor

Navigate to Certificate Monitoring ➡️ Manage ➡️ Monitors and click Add Monitor.

Configure your first monitor:

Display Name: Choose a descriptive name like "Production Web Server" or "Company Website"

Protocol: Select the appropriate protocol for your service. For a standard website, choose HTTPS. For mail servers, choose SMTPS or SMTP+STARTTLS depending on your configuration.

Hostname: Enter your domain name (e.g., www.example.com). You can also use IP addresses or specify custom ports like mail.example.com:2500. For your first monitor, use a domain you own or manage.

Profile: Leave this set to Public Profile (Default) for now. Profiles control validation rules and alert thresholds.

Contact Group(s): Ensure Default Contacts is selected so you'll receive alerts.

Tags: Optionally add tags like production or webserver to organize your monitors.

Click Add Monitor to create it.

Step 3: View Your Certificate Report

After creating the monitor, the system immediately performs an initial check. Click the Report link next to your newly created monitor to view the detailed certificate analysis.

The certificate report shows:

Connection Details: When the check was performed, what hostname was checked, and whether the connection succeeded.

Certificate Chain: A breakdown of each certificate from your server certificate through intermediate certificates to the root CA. This validates the complete trust chain.

Expiration Information: How many days remain until the certificate expires. Certificates are typically valid for 90 days (Let's Encrypt) or 1-2 years (traditional CAs).

Validation Results: Whether the hostname matches the certificate, if the certificate chain is complete, and if the certificate is signed by a trusted CA.

Look for green success indicators showing your certificate is valid. If you see warnings or errors, review the understanding certificate reports guide for troubleshooting steps.

Step 4: Understanding Alerts

With your monitor configured, you'll automatically receive alerts when:

  • The certificate reaches expiration thresholds (default: 60, 30, 15, 7, and 0 days before expiration)
  • The certificate becomes invalid or untrusted
  • The hostname doesn't match the certificate
  • Connection failures prevent certificate validation

Alerts are sent to all contacts in your configured contact groups. You'll receive notifications at each threshold, giving you multiple opportunities to renew certificates before they expire.

Step 5: Monitor the Errors Page

Navigate to Certificate Monitoring ➡️ Errors to see a consolidated view of all monitors with issues. This page shows:

  • Certificates approaching expiration
  • Connection failures
  • Validation errors
  • Hostname mismatches

Check this page regularly or configure alerts to stay informed proactively.

Next Steps

Now that you have your first monitor running, consider:

Add More Monitors: Set up monitoring for all your critical services - web servers, mail servers, databases, LDAP servers, and APIs. See what are monitors for supported protocols.

Create Custom Profiles: Define different alert thresholds for production vs staging environments, or configure private CAs for internal services.

Bulk Import: If you have many services to monitor, use CSV import or the API to create multiple monitors at once.

Deploy Monitoring Agents: For services on private networks, deploy monitoring agents to enable monitoring without exposing services to the public internet.

Review Best Practices: Check out common use cases and best practices for tips on organizing monitors, optimizing alerts, and managing certificates at scale.