Understanding SSL Certificate Monitoring: Why It Matters

An expired SSL certificate turns your professional website into a browser security warning. Visitors see a full-page alert telling them your site is not secure, and most leave immediately. Worse, API integrations that validate certificates will fail silently, breaking automated workflows without any user-visible error.

SSL certificate expiration is one of the most common causes of preventable outages, and it is entirely avoidable with proper monitoring.

How SSL Certificates Work (Brief Refresher)

SSL/TLS certificates establish encrypted connections between clients and servers. When a browser connects to your site:

1. Your server presents its certificate
2. The browser verifies the certificate chain (your cert, intermediate CA, root CA)
3. The browser checks the expiration date
4. The browser validates the domain matches
5. If everything checks out, the encrypted connection is established

When any step fails — expired certificate, broken chain, domain mismatch — the browser shows a warning or refuses to connect entirely.

Why SSL Certificates Expire

SSL certificates have a maximum validity period, currently 398 days (approximately 13 months) for publicly trusted certificates. The CA/Browser Forum has been trending toward shorter lifespans — there are active proposals to reduce this to 90 days.

Certificates expire because:

• Someone forgot to renew: The most common reason
• Auto-renewal failed silently: Let’s Encrypt or certbot configurations can break during server updates
• DNS validation failed: ACME challenges require correct DNS configuration
• Payment lapsed: Commercial certificate providers require active payment
• Organizational changes: The person who managed certificates left the company
• Multiple certificates across services: It is easy to lose track when you have dozens

The Impact of Expired Certificates

On Websites

Every modern browser shows a full-page warning for expired certificates. In Chrome, users see “Your connection is not private” with an “Advanced” link to bypass. Most users will not click through. Your site effectively goes offline for the majority of visitors.

On APIs

API clients that validate certificates (which they should) will reject connections entirely. This breaks:

• Mobile app connectivity
• Webhook deliveries
• Partner integrations
• Microservice communication
• Payment processing
• Any service-to-service authentication using mutual TLS

On SEO

Google uses HTTPS as a ranking signal. While a brief certificate lapse may not immediately impact rankings, extended issues or repeated lapses signal poor site maintenance, which can affect ranking over time.

On Trust

Certificate warnings train users to be suspicious of your site. Even after you fix the issue, the memory of a security warning lingers. For e-commerce and financial services, this trust damage can be lasting.

What SSL Monitoring Checks

A comprehensive SSL monitoring service checks more than just the expiration date:

Certificate Expiration

The primary check. You should receive alerts at multiple intervals before expiration:

• 60 days: Awareness — start planning the renewal
• 30 days: Action required — initiate the renewal process
• 14 days: Urgent — renewal should be completed or in progress
• 7 days: Critical — if not renewed by now, this is an emergency
• 1 day: Final warning

Certificate Chain Validation

Your certificate is part of a chain: your certificate, one or more intermediate certificates, and a root certificate. If an intermediate certificate is missing or incorrect, some browsers and clients will fail to validate the connection even though the certificate itself is valid.

This is a particularly insidious issue because it may work in some browsers (Chrome is forgiving about missing intermediates) but fail in others (curl, Python requests, older Android devices).

Certificate Configuration

Beyond the certificate itself, the TLS configuration matters:

• Protocol versions: TLS 1.2 should be the minimum; TLS 1.3 preferred
• Cipher suites: Weak ciphers should be disabled
• HSTS headers: Strict Transport Security prevents downgrade attacks
• OCSP stapling: Improves connection performance and reliability

Domain Matching

The certificate must match the domain it serves. Monitoring catches:

• Wrong certificate installed: A certificate for domain-a.com accidentally installed on domain-b.com
• Missing SANs: A multi-domain certificate that does not include all required subdomains
• Wildcard scope issues: A wildcard cert for *.example.com does not cover example.com itself

Setting Up SSL Monitoring

Step 1: Inventory Your Certificates

List every domain and subdomain that uses SSL:

• example.com and www.example.com
• api.example.com
• app.example.com
• status.example.com
• mail.example.com
• Any partner-facing endpoints

Do not forget internal services, staging environments, and CDN endpoints.

Step 2: Create Monitors

In StatusApp, create an SSL monitor for each domain:

{
  "type": "ssl",
  "name": "Main Website SSL",
  "host": "example.com",
  "port": 443,
  "alertDaysBeforeExpiry": [60, 30, 14, 7, 1]
}

Step 3: Configure Alert Channels

Route SSL alerts to the people who can act on them:

• DevOps/infrastructure team: They manage the certificates
• Account manager: If using a commercial CA, they handle the renewal purchase
• CTO/technical lead: Escalation for critical (7-day or less) warnings

Step 4: Document Your Renewal Process

Create a runbook for certificate renewal:

1. Where is the certificate issued from? (Let’s Encrypt, DigiCert, Cloudflare, etc.)
2. How is it installed? (certbot, manual upload, cloud provider console)
3. What DNS records need to exist for validation?
4. Who has access to the CA account?
5. What is the testing procedure after renewal?

Auto-Renewal Is Not Enough

Many teams rely on auto-renewal (Let’s Encrypt with certbot, Cloudflare, AWS ACM) and assume they are covered. Auto-renewal is excellent but not infallible:

• Server configuration changes can break certbot
• DNS changes can prevent ACME challenge validation
• Firewall rules can block HTTP-01 challenges
• Docker container restarts can lose certbot configurations
• Cloud provider quota limits can prevent ACM renewals
• Rate limiting at Let’s Encrypt can block renewals if you have many domains

SSL monitoring is your safety net for when auto-renewal fails. It costs nothing extra (it is included in StatusApp’s free plan) and prevents one of the most common causes of outages.

Common SSL Issues and How Monitoring Catches Them

Issue: Mixed content warnings. Your site loads over HTTPS but includes HTTP resources (images, scripts, fonts). SSL monitoring checks the certificate, but you should also use website monitoring with keyword validation to catch rendering issues.

Issue: Intermediate certificate missing. Your site works in Chrome but fails in curl or on Android. SSL monitoring with chain validation catches this immediately.

Issue: Certificate issued for wrong domain. After a server migration, the wrong certificate gets installed. SSL monitoring with domain matching catches this.

Issue: Self-signed certificate in production. During development, a self-signed cert was used. It accidentally makes it to production. SSL monitoring flags the untrusted certificate.

How Many SSL Monitors Do You Need?

A common question for organizations with many domains:

Domains	Monitor Count	StatusApp Plan
1-5	1-5	Free
5-20	5-20	Pro ($15/mo)
20-100	20-100	Business ($49/mo)
100+	100+	Custom

Remember, SSL monitors do not need frequent checks. Daily or every-6-hours is sufficient since certificates do not expire suddenly. This leaves most of your monitor allocation for website, API, and server monitors.

---

Never let an SSL certificate expire again. Start monitoring with StatusApp — SSL monitoring is included on every plan, including free.