Larm·May 9, 2026monitoringsslhow-it-works

How to monitor SSL certificate expiry

An expired SSL certificate takes your site offline instantly. No warning page, no graceful degradation. Browsers just refuse to connect. Here's how to make sure that doesn't happen to you.

When an SSL certificate expires, your site doesn't just show a warning. Modern browsers refuse to load the page entirely. Chrome shows "Your connection is not private" with no easy way for visitors to proceed. Safari, Firefox, the same. Your site is effectively offline.

The frustrating part is that this is entirely preventable. Certificates don't expire without warning. They have a known expiry date from the day they're issued. The problem is that nobody is watching that date.

Why certificates expire unexpectedly

Most certificates these days are issued by Let's Encrypt with a 90-day validity period. The short lifetime is intentional. It encourages automation and limits the damage if a private key is compromised. In theory, your server or hosting provider renews the certificate automatically, and you never think about it.

In practice, auto-renewal fails more often than you'd expect.

DNS changes. You moved your domain to a new DNS provider but the ACME challenge still points to the old one. Renewal fails silently.

Server misconfiguration. You updated your web server config, or switched from Nginx to Caddy, or changed your reverse proxy setup. The renewal hook that worked before doesn't work anymore.

Provider issues. Your hosting platform handles SSL for you, until it doesn't. An API change, a rate limit, a billing issue on their end.

Wildcard certificates. These require DNS-01 challenges instead of HTTP-01. If your DNS API token expires or your automation breaks, the wildcard cert doesn't renew.

Multiple domains. You have certificates for your main site, your API, your staging environment, your status page. One of them falls through the cracks.

The common thread is that auto-renewal works perfectly until something in the environment changes. And when it breaks, it breaks silently. There's no error page. The certificate just quietly approaches its expiry date, and one day your site stops working.

What to actually monitor

There are two things worth checking:

Days until expiry. The straightforward one. Check the certificate's notAfter date and alert when it's getting close. 30 days is a good first warning. 14 days means something is wrong with auto-renewal. 7 days is urgent.

Certificate chain validity. A certificate can be unexpired but still broken. An intermediate certificate might be missing, or the chain might be incomplete. Some browsers handle this gracefully by fetching the missing intermediate. Others don't. Mobile browsers are particularly inconsistent here.

You also want to check from outside your infrastructure. Checking from inside your network might hit a different certificate, or bypass the CDN, or skip the load balancer that terminates TLS. The certificate your monitoring sees should be the same one your users see.

Setting this up

If you're using Larm, SSL monitoring is built into every HTTP monitor. Whenever Larm checks your endpoint over HTTPS, it inspects the certificate chain and records the expiry date, issuer, TLS version, and cipher suite.

You don't need to create a separate SSL monitor. If you have an HTTP monitor for https://yoursite.com, you're already monitoring the certificate. Larm will alert you at 30, 14, and 7 days before expiry through whatever alert channels you've configured.

If you want to check a certificate right now without signing up, the free SSL checker will show you the full certificate details from a global probe location.

A note on certificate transparency logs

Certificate Transparency (CT) logs are a public record of every certificate issued by a trusted CA. Tools like crt.sh let you search them. This is useful for finding unexpected certificates issued for your domain, which could indicate a compromised CA or a misconfigured service issuing certs you didn't ask for.

But CT logs don't help with expiry monitoring. They tell you when a certificate was issued, not when it's about to expire. And they definitely don't tell you whether the certificate is correctly installed and serving traffic. That requires actually connecting to your server and checking.

SSL certificate monitoring is one of those things that feels unnecessary until the moment it isn't. If you want it as part of your regular uptime checks, Larm includes it on every HTTP monitor, on every plan including the free tier.

Start monitoring in minutes.

Free plan. 15 monitors. Multi-probe voting. No credit card.

Sign Up Free