SSL Certificate Monitoring: Tools and Setup Guide

SSL monitoring goes beyond checking expiry dates. A complete monitoring setup watches for: expiring certificates, configuration changes, unauthorized certificate issuance, and downtime caused by SSL errors.

With certificate validity dropping to 47 days by 2029, proactive monitoring becomes essential — a missed renewal takes your site offline.

What to monitor

Free monitoring options

1. Cron script (self-hosted)

#!/bin/bash
# /usr/local/bin/ssl-monitor.sh
DOMAINS="example.com www.example.com api.example.com"
WARN_DAYS=30
ALERT_EMAIL="admin@example.com"

for domain in $DOMAINS; do
  expiry=$(echo | openssl s_client -connect "$domain":443 -servername "$domain" 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)

  if [ -z "$expiry" ]; then
    echo "ERROR: Can't connect to $domain:443" | mail -s "SSL Monitor: $domain unreachable" $ALERT_EMAIL
    continue
  fi

  expiry_epoch=$(date -d "$expiry" +%s 2>/dev/null)
  now_epoch=$(date +%s)
  days_left=$(( (expiry_epoch - now_epoch) / 86400 ))

  if [ "$days_left" -lt "$WARN_DAYS" ]; then
    echo "$domain certificate expires in $days_left days ($expiry)" | mail -s "SSL Expiry Warning: $domain" $ALERT_EMAIL
  fi
done

# Add to crontab — run daily at 9am
0 9 * * * /usr/local/bin/ssl-monitor.sh

2. UptimeRobot (SaaS — free tier)

1. Sign up at UptimeRobot
2. Add a monitor → Type: HTTPS
3. Enter your domain URL
4. Set SSL expiry alert: 30 days before expiry
5. Configure alerts: email, Slack, webhook

UptimeRobot checks every 5 minutes and alerts on both downtime and certificate expiry.

3. Certificate Transparency monitoring

Monitor CT logs for unauthorized certificates issued for your domain:

Paid monitoring tools

Full monitoring config example

For a production site, combine multiple layers:

Layer 1: Certbot auto-renewal (prevents expiry)
Layer 2: Cron script (catches renewal failures — daily email)
Layer 3: UptimeRobot (catches SSL errors — 5-min checks)
Layer 4: CT monitoring (catches unauthorized certs — continuous)

This gives you defense in depth — no single failure point.

Monitoring with GetHTTPS

GetHTTPS doesn’t include built-in monitoring (it’s a certificate issuance tool). But your workflow should be:

1. Issue certificate with GetHTTPS
2. Set up renewal reminders — calendar alert at day 60 of 90
3. Add SSL monitoring — cron script or SaaS tool as backup
4. Consider Certbot for auto-renewal on production

Frequently asked questions

What’s the minimum monitoring I should have?

At minimum: a calendar reminder for certificate renewal (day 60 of 90) AND an automated check (cron script or UptimeRobot). The calendar catches normal renewals; the automated check catches failures.

How do I monitor multiple domains?

The cron script above handles multiple domains in a loop. SaaS tools like UptimeRobot let you add multiple monitors — one per domain.

Should I monitor staging/development certificates too?

Yes, if they’re Let’s Encrypt certificates that expire. An expired staging certificate blocks QA and development. At minimum, set a calendar reminder.

What about monitoring the certificate chain, not just expiry?

SSL Labs API provides automated chain verification. For a quick manual check:

echo | openssl s_client -connect example.com:443 2>/dev/null | grep "Verify return code"

Add this to your cron script for chain monitoring.