Skip to main content

SSL Certificate Monitoring

SSL monitors track the validity and expiry date of TLS certificates on your HTTPS endpoints. Get alerted before certificates expire and cause outages.

Why SSL Monitoring Matters

An expired certificate causes:

  • Browsers to show security warnings to all users
  • API clients to reject connections
  • Complete service outage for HTTPS-only services
  • SEO ranking penalties

A certificate expiry incident takes approximately 3–10 minutes to cause visible user impact and requires immediate remediation.

Creating an SSL Monitor

  1. Go to Monitors → New Monitor
  2. Select SSL Certificate
  3. Enter the hostname
note

SSL monitors check the hostname only — do not include the URL path. Use api.yourapp.com, not https://api.yourapp.com/health.

Configuration Reference

FieldRequiredDescription
NameYesDisplay name
HostnameYesDomain to check (e.g., api.yourapp.com)
PortNoDefault: 443
Check IntervalYesRecommended: once per day (1440 minutes)
Alert Days Before ExpiryYesWarn when fewer than N days remain
Alert TypeDays Before Expiry
Critical7 days
Warning30 days
Info60 days

What SSL Monitors Check

Each check verifies:

  1. Certificate validity — Is the cert currently trusted?
  2. Chain completeness — Are all intermediate certs present?
  3. Hostname match — Does the cert cover the monitored hostname?
  4. Expiry date — How many days until expiry?
  5. Protocol version — TLS 1.2 minimum enforced

Monitor States for SSL

StateCondition
UPValid cert, ≥ alert threshold days remaining
WARNINGValid cert, fewer than warning threshold days remaining
DOWNCertificate expired, invalid, or hostname mismatch

Certificate Details View

Click any SSL monitor to see:

  • Issuer (CA name)
  • Subject (hostname/wildcard/SAN)
  • Issue date
  • Expiry date
  • Days remaining
  • TLS version negotiated
  • Cipher suite

API — Create SSL Monitor

POST /v1/monitors
Authorization: Bearer psk_live_xxx
Content-Type: application/json

{
"name": "Production API SSL",
"type": "ssl",
"hostname": "api.yourapp.com",
"port": 443,
"interval": 1440,
"alertDaysBeforeExpiry": 30,
"criticalDaysBeforeExpiry": 7,
"alertPolicyId": "pol_xxxxxxxx"
}

Complementary Setup

For complete SSL coverage, create one SSL monitor per HTTPS subdomain:

api.yourapp.com
app.yourapp.com
www.yourapp.com
status.yourapp.com

If you use a wildcard cert (*.yourapp.com), one monitor on any subdomain confirms the cert's validity for all subdomains, but per-subdomain monitors give you individual expiry tracking in your dashboard.

Troubleshooting

SymptomCauseResolution
Always DOWN immediatelyPort 443 blocked or non-HTTPS serviceVerify TLS is available on that port
Chain validation failureMissing intermediate certificateAdd the full chain to your server config
Hostname mismatchCN/SAN does not include monitored hostnameRe-issue cert with correct SAN entries
Wrong expiry date shownMultiple certs in chain — checking wrong onePingSLA checks the leaf (end-entity) cert