Skip to main content

How Does Certificate Monitoring Work?

Certificate monitoring works by regularly connecting to your monitored services, retrieving their TLS/SSL certificates, validating the certificate chains, and alerting you of any issues or approaching expirations.

The Monitoring Process

When a check runs, the system establishes a connection to the monitored service using the specified protocol (HTTPS, SMTPS, LDAPS, etc.). For protocols using STARTTLS, the system first connects to the unencrypted port, then issues the STARTTLS command to upgrade the connection. Once the TLS handshake completes, the system retrieves the complete certificate chain from the server certificate through any intermediate certificates to the root CA.

The retrieved certificates are then validated: expiration dates are checked against configured alert thresholds, the certificate chain is verified as complete and properly linked, the hostname is matched against the certificate's Common Name or Subject Alternative Names, the signing CA is confirmed as trusted (public or configured private CAs), and cryptographic algorithms are checked for weak or deprecated methods.

Alert Generation

When a check detects an issue or a certificate reaches one of the configured expiration thresholds, the system generates an alert. Alerts are sent to all contacts in the contact groups associated with that monitor. The notification includes details about the issue, the affected monitor, and relevant certificate information.

Alerts continue until the issue is resolved. For expiration warnings, you'll receive alerts at each configured threshold (for example, at 60 days, 30 days, 15 days, and 7 days before expiration) to ensure adequate advance notice.

Monitoring Through Agents

When monitoring agents are configured and assigned to a profile, checks are routed through the agent instead of connecting directly from Generator Labs infrastructure. The agent receives the check request, connects to the target service from within your network, retrieves the certificates, and reports the results back to the platform. This enables monitoring of internal services while maintaining centralized alerting and reporting. See installing monitoring agents for deployment instructions.

Connection Sources

By default, monitoring checks originate from Generator Labs infrastructure over the public internet. When using DNS hostnames, the system performs A and AAAA record lookups and monitors all returned IP addresses, making it ideal for load-balanced services. For services on private networks, deploy monitoring agents to enable access without exposing services to the public internet.