How to Set Up SSL Certificate Monitoring
Monitor SSL expiry, detect unexpected certificate changes, and get alerted before your site shows security warnings to visitors.
How to Set Up SSL Certificate Monitoring
An expired SSL certificate shows a red "Your connection is not private" warning to every visitor. A certificate that's been unexpectedly replaced might indicate a man-in-the-middle attack or misconfiguration. This guide walks through setting up monitoring for both.
How SSL Monitoring Works
ElasticDomain establishes a real TLS connection to your domain on port 443, the same way a browser does. It negotiates the handshake and reads the server's certificate directly. No external APIs or third-party services are involved.
From that connection it extracts:
- Subject (Common Name and Organization)
- Issuer (Certificate Authority name and organization)
- Valid from / valid to dates
- Days until expiry
- Subject Alternative Names (SANs) - all domains covered by the certificate
- Key size (e.g. RSA 2048 or ECDSA P-256)
- Signature algorithm (e.g. SHA-256)
- TLS protocol version negotiated (TLS 1.2 or 1.3)
- Cipher suite used
- Certificate chain validity
- HTTPS enforcement - whether HTTP redirects to HTTPS
- HSTS - whether the Strict-Transport-Security header is present
Setting Up SSL Expiry Alerts
The Two-Alert Approach
Set up two alerts per domain:
Alert 1 - Early warning (30 days):
- Domain detail → Alerts → Create Alert Rule
- Trigger: SSL Expiring Soon
- Threshold: 30 days
- Notify via: Email
- Save
Alert 2 - Critical warning (7 days):
- Repeat with threshold: 7 days
- This fires if you missed the first alert or your CA renewal automation failed
Why 7 Days Matters
Let's Encrypt certificates renew automatically - but automation can fail. The cert-bot might not have write access, the server might be down, or DNS might have changed. A 7-day alert gives you enough time to manually renew before the certificate expires.
Setting Up Certificate Change Detection
A certificate change alert fires any time the fingerprint of the certificate changes - new certificate issued, CA changed, or key re-generated.
- Domain detail → Alerts → Create Alert Rule
- Trigger: SSL Certificate Changed
- Notify via: Email (and optionally Slack or Webhook for production domains)
- Save
This is particularly useful for:
- Catching unexpected certificate replacements
- Verifying that planned certificate changes happened correctly
- Detecting if a CDN or reverse proxy has swapped the certificate
Understanding SSL Health Scores
The SSL component contributes to the overall domain health score as follows:
| Condition | Impact |
|---|---|
| Certificate valid, expiry > 30 days | Full score |
| Certificate valid, expiry 15-30 days | Reduced (yellow) |
| Certificate valid, expiry < 15 days | Poor (red) |
| Certificate expired | Critical - health score drops sharply |
| Certificate chain broken | Critical |
| HSTS not present | Minor deduction |
| SHA-1 signature algorithm | Minor deduction |
| Key size < 2048 bits | Moderate deduction |
Reading the SSL Tab
After a scan, the SSL tab shows all extracted data. The most important fields:
- Expiry date + days remaining - the countdown
- SANs list - confirms which domains the certificate covers. If your www subdomain is missing from the SANs, browsers will show a certificate error for it.
- Chain valid - must be true. A broken chain means intermediate certificates weren't installed correctly.
- HTTPS enforced - confirms HTTP traffic redirects to HTTPS
- HSTS - confirms the Strict-Transport-Security header is being served
Certificate Not Found
If a domain has no SSL certificate (HTTP-only), the SSL tab shows "No certificate found." The domain will score low on health. This is expected for domains intentionally served over HTTP, but is a problem for any domain with a login form or personal data.