SSL Certificate Monitoring: The Complete Guide
What SSL monitoring checks, what each field means, how to interpret certificate chain errors, and best practices for keeping HTTPS healthy.
SSL Certificate Monitoring: The Complete Guide
An SSL certificate does two things: it encrypts traffic between the visitor and your server, and it proves your site is the legitimate owner of that domain. When a certificate expires or is misconfigured, browsers show a full-page security warning that drives visitors away and breaks automated systems.
What SSL Certificate Monitoring Checks
ElasticDomain makes a direct TLS connection to your domain on port 443 and reads the certificate the server presents. This is exactly what a browser does. It captures:
Core Certificate Data
- Subject CN - the primary domain name the certificate was issued for
- Subject Alternative Names (SANs) - all additional domains covered (e.g. a wildcard *.example.com covers all subdomains)
- Issuer - the Certificate Authority (Let's Encrypt, DigiCert, Sectigo, ZeroSSL, etc.)
- Valid from / Valid to - the certificate's validity window
- Days until expiry - calculated at scan time
- Serial number - unique identifier for this certificate
- SHA-256 fingerprint - cryptographic hash; change detection uses this
Cryptographic Details
- Key algorithm - RSA or ECDSA
- Key size - RSA 2048 or 4096 bits; ECDSA P-256 or P-384
- Signature algorithm - SHA-256 (good), SHA-1 (deprecated since 2017)
Connection Details
- TLS protocol version - TLS 1.2 or TLS 1.3 (TLS 1.0 and 1.1 are deprecated)
- Cipher suite - the encryption algorithm negotiated
- Certificate chain validity - whether the full chain from leaf to root CA is trusted
HTTPS Configuration
- HTTPS enforcement - whether HTTP requests redirect to HTTPS
- HSTS - whether the Strict-Transport-Security header is present
- HSTS preload - whether the domain is in the browser preload list
Certificate Expiry: The Numbers That Matter
| Days Until Expiry | Status | Action |
|---|---|---|
| > 60 days | Healthy | No action needed |
| 30-60 days | Warning | Plan renewal soon |
| 7-30 days | Urgent | Renew now |
| < 7 days | Critical | Renew immediately |
| 0 (expired) | Broken | Visitors see security errors |
Let's Encrypt certificates are valid for 90 days. Their Certbot tool renews when 30 days remain. If Certbot fails silently (broken cron, permissions issue, DNS failure), you'll have 30 days to catch it - which is exactly why an SSL monitoring alert at 30 days is essential.
Certificate Chain Validation
An SSL certificate isn't just one file - it's a chain:
- Leaf certificate - the one issued for your domain
- Intermediate certificate(s) - issued by the root CA to the intermediate CA
- Root certificate - the trusted root, built into browsers
If your server only sends the leaf certificate (misconfigured), some older clients will reject it because they can't build the chain to a trusted root. ElasticDomain validates the full chain and flags chain errors separately from expiry issues.
Chain error in the scan results means the server isn't sending intermediate certificates correctly - this needs to be fixed at the server configuration level (Nginx/Apache certificate file should include the full chain).
Subject Alternative Names (SANs)
A certificate can cover multiple domains via SANs. Common patterns:
example.comandwww.example.comin the same certificate- Wildcard:
*.example.com(covers all direct subdomains, but not sub-subdomains) - Multi-domain (SAN) certificate:
example.com,example.org,example.net
The SANs list in the SSL tab shows every domain covered. If a domain you serve is missing from the SANs, visitors accessing that domain get a certificate mismatch error.
Certificate Change Detection
The SHA-256 fingerprint uniquely identifies a certificate. When this changes, a new certificate has been issued. This happens normally during renewal, but can also happen unexpectedly:
- CDN or reverse proxy swapped the certificate (check your Cloudflare/Nginx config)
- Certificate revoked and reissued by the CA
- Unauthorized certificate issued (rare; Certificate Transparency logs help detect this)
Set up a SSL Certificate Changed alert on any domain where you want to know about certificate replacements.
HSTS: Why It Matters
HSTS (HTTP Strict Transport Security) tells browsers: "This domain is always HTTPS. Never connect over HTTP, even if the user types http://."
Without HSTS, a user who navigates to http://example.com gets redirected to HTTPS - but that first HTTP request is vulnerable to interception. With HSTS, the browser skips the HTTP request entirely for any domain it has seen recently.
An HSTS header looks like:
Strict-Transport-Security: max-age=31536000; includeSubDomains
ElasticDomain checks for HSTS presence and reports the max-age value.