SSL Certificate Monitoring
SSL monitors track the validity and expiry date of TLS certificates on your HTTPS endpoints. Get alerted before certificates expire and cause outages.
Why SSL Monitoring Matters
An expired certificate causes:
- Browsers to show security warnings to all users
- API clients to reject connections
- Complete service outage for HTTPS-only services
- SEO ranking penalties
A certificate expiry incident takes approximately 3–10 minutes to cause visible user impact and requires immediate remediation.
Creating an SSL Monitor
- Go to Monitors → New Monitor
- Select SSL Certificate
- Enter the hostname
SSL monitors check the hostname only — do not include the URL path. Use api.yourapp.com, not https://api.yourapp.com/health.
Configuration Reference
| Field | Required | Description |
|---|---|---|
| Name | Yes | Display name |
| Hostname | Yes | Domain to check (e.g., api.yourapp.com) |
| Port | No | Default: 443 |
| Check Interval | Yes | Recommended: once per day (1440 minutes) |
| Alert Days Before Expiry | Yes | Warn when fewer than N days remain |
Recommended Alert Thresholds
| Alert Type | Days Before Expiry |
|---|---|
| Critical | 7 days |
| Warning | 30 days |
| Info | 60 days |
What SSL Monitors Check
Each check verifies:
- Certificate validity — Is the cert currently trusted?
- Chain completeness — Are all intermediate certs present?
- Hostname match — Does the cert cover the monitored hostname?
- Expiry date — How many days until expiry?
- Protocol version — TLS 1.2 minimum enforced
Monitor States for SSL
| State | Condition |
|---|---|
UP | Valid cert, ≥ alert threshold days remaining |
WARNING | Valid cert, fewer than warning threshold days remaining |
DOWN | Certificate expired, invalid, or hostname mismatch |
Certificate Details View
Click any SSL monitor to see:
- Issuer (CA name)
- Subject (hostname/wildcard/SAN)
- Issue date
- Expiry date
- Days remaining
- TLS version negotiated
- Cipher suite
API — Create SSL Monitor
POST /v1/monitors
Authorization: Bearer psk_live_xxx
Content-Type: application/json
{
"name": "Production API SSL",
"type": "ssl",
"hostname": "api.yourapp.com",
"port": 443,
"interval": 1440,
"alertDaysBeforeExpiry": 30,
"criticalDaysBeforeExpiry": 7,
"alertPolicyId": "pol_xxxxxxxx"
}
Complementary Setup
For complete SSL coverage, create one SSL monitor per HTTPS subdomain:
api.yourapp.com
app.yourapp.com
www.yourapp.com
status.yourapp.com
If you use a wildcard cert (*.yourapp.com), one monitor on any subdomain confirms the cert's validity for all subdomains,
but per-subdomain monitors give you individual expiry tracking in your dashboard.
Troubleshooting
| Symptom | Cause | Resolution |
|---|---|---|
| Always DOWN immediately | Port 443 blocked or non-HTTPS service | Verify TLS is available on that port |
| Chain validation failure | Missing intermediate certificate | Add the full chain to your server config |
| Hostname mismatch | CN/SAN does not include monitored hostname | Re-issue cert with correct SAN entries |
| Wrong expiry date shown | Multiple certs in chain — checking wrong one | PingSLA checks the leaf (end-entity) cert |