SSL Certificate Expiry Check Basics

In this brief article, we will cover how to set up Secure Socket Layer (SSL) Certificate checks. This check monitors data files that link a company’s information to an encryption key that “locks” web server data in a secure manner once every 1 hour. This tutorial assumes that you have logged into

Table of Contents

SSL Certificate Expiry Check At-A-Glance

Stay Ahead of Certificate Expirations

Supports Public and Self-Signed Certificates

Customize Certificate Verification Requirements

Supported SSL Protocols


Secure Socket Layer (SSL) checks ensure a layer of security is always in place. can monitor various protocols (including STARTTLS variants) once per day including:

  • HTTPS/SSL Certificate: The SSL certificate enables the HTTPS protocol when active. Read more about SSL.
  • FTP (File Transfer Protocol): used when transferring sensitive data between a client and a server on a computer network.
  • HTTP (HyperText Transfer Protocol): used to connect web servers on the Internet or on a local network.
  • HTTP/2 (HyperText Transfer Protocol/2): second version of HTTP, used to make applications faster, simpler, and more robust.
  • IMAP(Internet Message Access Protocol):
  • IRC (Internet Relay Chat): Monitors the facilitation of communication via chat typically through private messages that may also include file sharing.
  • LDAP (Lightweight Directory Access Protocol): accesses and manages directory information over IP networks.
  • MYSQL (My Structured Query Language): A relational database management system, that can be used to store anything from a single record of information to an entire inventory of items.
  • POP3 (Post Office Protocol): An older protocol that was originally developed to be used on only one computer, and only supports one-way email synchronization.
  • POSTGRES: Open source relational database management system, used to store large and sophisticated data safely.
    • SIEVE: Language for filtering email messages, and designed to be implementable on either a mail client or mail server.
    • SMTP (Simple Mail Transfer Protocol): Is used to send and receive email, and primarily sends messages to a server for forwarding
    • POP3 (Post Office Protocol): An older protocol that was originally developed to be used on only one computer, and only supports one-way email synchronization.
    • IMAP (Internet Message Access Protocol): is a standard email retrieval (incoming) protocol.
    • XMPP (Extensible Messaging and Presence Protocol): used for real time data exchanges between two or more networks.
    • XMPP Server (Extensible Messaging and Presence Protocol): Provides basic messaging, presence and XML routing features, and can be used to run your own XMPP service.

    We offer monitoring support for the following protocols using STARTTLS:

    • FTP (File Transfer Protocol)
    • IMAP (Internet Message Access Protocol)
    • IRC (Internet Relay Chat)
    • LDAP (Lightweight Directory Access Protocol)
    • POP3 (Post Office Protocol)
    • SMTP (Simple Mail Transfer Protocol): (STARTTLS) 

    Adding Your First SSL Check


    Monitoring decreases the likelihood of SSL expiration (or failure), and ensures a site remains trusted. SSL failures affect a company’s branding, and compromises the trust customers place in a website.

    To add a new SSL Certificate Expiry check, go to Monitoring > Checks, then click Add New.

    SSL check 1 hour.png

    We will need to fill in the following details:

    • The check name
    • Contact(s)

    Each of the fields below are required:

    • Domain
    • Before expiry (This example warns you 20 days before the certificate will expire)
    • Protocol (Used to check the certificate)

    Please note: SSL checks don't have normal performance metric values. The Response Time column for SSL will be displayed as Expires: [VALUE] days on both dashboards and status pages.

    Optional Settings


    There are a number of Optional settings for further customization of the certificate verification, matching, or specific behaviours.

    SSL check optional.png

    The following fields may be helpful, but are "Optional":

    • Port
    • Minimum SSL/TLS versions
    • Match certificate fingerprint (SHA-1) ** Please note you must add "sha1 Fingerprint=..."
    • Validate certificate/CRL at URL
    • Match issuer name
    • Match additional name(s)

    There are also additional checkboxes which allow for special behaviour:

    • CLR fallback when OSCP is not available
    • Allow self-signed certificates
    • Check only the first certificate in the chain
    • Ignore authority warnings (check expiration only)
    • Do not check for signed certificate timestamps (SCT)

    For a detailed explanation of each field, please take a moment to familiarize yourself with the Field Explanation Support article.

    Troubleshooting Failed SSL Checks


    When an SSL Certificate check fails, the configured contact(s) will receive an email that highlights the domain being checked, date, time, Location and explanation of why the SSL Expiry check failed. 

    For more information on alerts, see our support article on Alerting.

    Please note: SSL Cert checks run once every hour. If a certificate is updated/fixed, there is a workaround to return the check to the UP state, instead of waiting for the check to run again the following day.

    To do so, make sure that the check passes via Run Test, then click Save. From the Checks screen, pause the check in question, wait around five (5) minutes, and then resume the check. It should come back up shortly.

    Finalizing Your Check


    Before you finalize your check, click Run Test to verify your settings are returning the expected results. 

    SSL run test.png

    Please note: This check type is run once every 1 hour. If you experience a failure, and believe the issue is corrected, you can click Run Test to verify settings are correct. The check will return to UP status 1 hour after the alert was issued, assuming the test is successful and no other issues are detected. 


    Final Thoughts


    SSL Certificate Expiry Checks are an excellent monitoring tool to specifically focus on a domain's certificate, and warn you well in advance of actual expiry so your System/DevOps team can start that process before it affects your sites.

    If you have any questions, please contact

    Was this article helpful?
    1 out of 4 found this helpful



    Article is closed for comments.

    Have more questions?
    Submit a request
    Share it, if you like it.