Renewal failures, caught before the browser warning.
Watch a TLS cert from six regions. Page 14 days before expiry (configurable). Flat rate per monitor.
When this monitor earns its keep.
Three concrete patterns. Use them as templates for your own setup.
Public-facing domains
Your customer dashboard, marketing site, API host. A cert that expires Tuesday at 9am after a Monday holiday is the classic miss. Page 14 days out so you have time to re-run renewal.
Internal mTLS clients
Cert pinning between microservices. When the issuing CA rotates and a leaf cert silently expires, internal calls start 503'ing. Watch the chain so the rotation lands cleanly.
Multi-domain certs / SANs
A wildcard or SAN cert covering 20 subdomains. If a SAN is removed in the next renewal, only one subdomain breaks. Verify the SAN list on every probe.
How the setup looks.
Point at a hostname. We pull the chain and page before the browser warning. Flat rate per monitor; warn thresholds and regions do not add line items.
Same auth, same alert rules, same status pages as every other monitor type. See all 6
Set hostname and warn window
Default is 14 days before expiry. Tighten for short-lived ACME certs if you need to.
Probe from multiple regions
Catch CDN or edge nodes serving a different cert than the rest of your fleet.
Get renewal reminders
Alerts include issuer, SAN list, and days remaining so you can re-run renewal early.
FAQ
- Do you check the full chain or just the leaf?
- Full chain. We capture leaf, intermediates, and root; surface issuer changes and SAN diffs every probe.
- What about self-signed certs?
- Accepted. We report expiry and chain shape but skip CA-trust validation. Useful for internal mTLS.
- What about mTLS with a custom internal CA?
- Supported for expiry and chain monitoring. We skip public CA-trust validation, same as other self-signed or private-CA certs. Need port reachability? Use the TCP probe monitor.