Skip to main content

What Is Certificate Monitoring?

Certificate monitoring is a service that continuously checks the TLS/SSL certificates used by your servers and services to ensure they remain valid, trusted, and not approaching expiration. This proactive monitoring helps prevent service outages and security warnings caused by expired or misconfigured certificates.

New to certificate monitoring? Check out the getting started guide for a step-by-step walkthrough.

Why Certificate Monitoring Matters

TLS/SSL certificates are essential for secure communications between clients and servers. When a certificate expires, clients receive security warnings or cannot connect at all, causing service disruptions and loss of trust. Modern infrastructure often involves dozens or hundreds of certificates across web servers, mail servers, databases, APIs, and internal services — manually tracking them all is impractical. Automated monitoring provides advance warning before expiration and detects configuration issues before they cause outages.

What Gets Monitored

Certificate monitoring validates multiple aspects of your TLS/SSL configuration:

  • Certificate expiration dates with configurable alert thresholds
  • Certificate chain integrity from server certificate through intermediates to root CA
  • Hostname validation ensuring certificates match the services they protect
  • Certificate authority trust verifying certificates are signed by trusted CAs
  • Cryptographic strength checking for weak or deprecated algorithms

How It Works

You configure monitors for each service endpoint specifying the hostname, protocol, and monitoring settings. The system regularly connects to each monitored service, retrieves the certificate chain, validates all aspects of the certificates, and sends alerts to configured contact groups when issues are detected or certificates approach expiration.

Monitoring profiles control validation rules and alert thresholds, allowing different settings for production versus staging environments or public versus internal services. Private CA support enables monitoring of internal services using custom certificate authorities, while monitoring agents enable checking services on private networks not accessible from the public internet.