Certificate expiry
The most common cause. An auto-renewal fails silently and the certificate expires, immediately triggering browser security warnings for all visitors.
Guide
SSL Certificate Monitoring: What to Track and Why It Matters
An expired or invalid SSL certificate knocks a website offline, triggers browser security warnings, and can harm search rankings. SSL certificate monitoring gives teams enough warning to renew before any of that happens.
What is SSL certificate monitoring?
SSL certificate monitoring tracks the health and expiry of the HTTPS certificates protecting a website. It checks whether the certificate is currently valid, who issued it, when it expires, and how many days remain before renewal is required.
A valid SSL certificate is table stakes for any website. Browsers display security warnings for sites with invalid or expired certificates, and most visitors will leave rather than proceed through a warning page. Search engines also factor HTTPS status into rankings.
Manual renewal reminders — calendar entries, email notifications from the certificate authority — are unreliable because they depend on someone acting on them in time. Automated SSL certificate monitoring checks continuously and alerts the right people with enough lead time to renew.
What SSL certificate monitoring tracks
NorthDuty captures full SSL certificate data on every health check run. The check confirms whether the certificate is valid, extracts the issuer, records the valid-from and valid-to dates, and calculates the number of days until expiry.
The sslDaysUntilExpiry field drives expiry alerts. Teams can configure an ssl_expiry alert rule with a custom day threshold — for example, alert when fewer than 30 days remain — so renewal happens well before a disruption.
Beyond expiry, the certificate issuer and validity status are checked on every run. If a certificate becomes invalid mid-cycle — due to revocation, a domain mismatch, or a misconfigured renewal — the check immediately registers a failure and the alert fires.
What can go wrong with SSL certificates
These are the most common certificate failures teams encounter.
Domain mismatch
The certificate was issued for a different domain or subdomain, making it invalid for the URL being served.
Incomplete certificate chain
The intermediate certificate is missing, causing some browsers to reject the connection even though the certificate itself is valid.
Certificate revocation
The certificate authority revokes the certificate due to a security issue, rendering it invalid mid-cycle with no warning.
Auto-renewal misconfiguration
Let's Encrypt and other CA tools rely on correct server configuration. A misconfigured renewal script can fail without an obvious error.
CDN or load balancer misconfiguration
A certificate update is applied to the origin server but not propagated to the CDN or load balancer, causing mismatches at the edge.
Why SSL expiry catches teams off guard
Certificate authorities and hosting providers send renewal reminder emails, but those emails go to whoever registered the certificate — often a team member who has since changed roles, or a shared inbox that no one monitors closely.
Auto-renewal is widely used but not always reliable. Let's Encrypt renewals depend on a correctly configured certbot cron job. If the server configuration changes, the cron job fails, the certificate is not renewed, and the failure is silent until the certificate expires.
The gap between the last manual check and expiry is where certificates lapse. Continuous monitoring closes that gap by tracking days remaining on every run and alerting automatically.
SSL monitoring as part of broader website health monitoring
SSL monitoring is one of several trust and availability checks NorthDuty runs on every health check. The same run also verifies DNS resolution, HTTP status, redirect chains, blank-page detection, JavaScript errors, broken resources, and first-party API calls.
This means an SSL expiry or certificate issue surfaces alongside any other problem affecting the page at that moment. Teams get a single view of website health — not separate alerts from separate tools — so diagnosis is faster.
Domain expiry monitoring runs in parallel. NorthDuty also captures domain registration status, registrar, creation date, expiration date, and days until expiry, so domain lapses are caught with the same lead time as certificate expirations.
Related NorthDuty Pages
Keep exploring the feature pages and commercial routes connected to this topic.
Feature
Uptime Monitoring
Every NorthDuty health check run verifies SSL validity, issuer, expiry date, and days remaining alongside HTTP status, DNS, and Core Web Vitals.
Explore Uptime MonitoringFeature Page
SSL Certificate Monitoring
Track SSL validity, issuer, expiry date, and days until renewal on every health check run.
Explore SSL MonitoringArticle
How to Monitor Website Uptime
Learn how to monitor website uptime, choose the right checks, and catch downtime before it hurts traffic, leads, or sales.
Read the guideFeature
UI Changes Monitoring
Get daily screenshots and pixel diffs for key website pages so unexpected design, content, and layout changes are easier to review.
Explore UI Changes MonitoringPricing
Pricing
Explore NorthDuty pricing for website monitoring covering uptime checks, UI change detection, and user journey monitoring.
Compare pricing plansFrequently Asked Questions
Short answers that summarize the practical takeaways from this guide.
What does SSL certificate monitoring check?
SSL certificate monitoring verifies whether a certificate is valid, captures the issuer, records valid-from and valid-to dates, and calculates days until expiry. It also detects domain mismatches and certificate revocations.
How much notice should I have before an SSL certificate expires?
Most teams prefer 30 days of lead time, which leaves enough room to renew without urgency even if the first attempt fails. NorthDuty's ssl_expiry alert rule supports a custom day threshold.
Why do SSL certificates expire unexpectedly?
Most unexpected expirations happen when auto-renewal fails silently — a misconfigured certbot script, a server change that breaks the renewal process, or a reminder email that reaches no one who acts on it.
Does NorthDuty monitor domain expiry as well?
Yes. NorthDuty captures domain registration status, expiration date, and days until expiry on every health check run alongside SSL certificate data.
Call To Action
Start monitoring your website with NorthDuty today.
Use NorthDuty to monitor SSL certificate expiry, issuer, and validity on every health check run so certificate failures never reach your visitors.