Guides
What is SSL Certificate Monitoring?

What is SSL Certificate Monitoring?

Better Stack Team
Updated on May 4, 2022

SSL certificate monitoring is an automated way of checking whether an SSL certificate is valid and when it expires. When a website's SSL certificate becomes invalid or close to the expiration date, the SSL monitoring spots the issue and alerts the right person on the development team.

In this article, you will learn the following:

  • What is SSL certificate monitoring and how does it work.
  • Why do SSL certificates expire and what happens when they do.
  • Overview of on-call alerting and incident management process of SSL certificate incidents.
  • How long are SSL certificates valid for and how to monitor automated renewals.
  • What are the benefits and drawbacks of using SSL certificate monitoring.
  • How to set up basic SSL certificate monitoring of a website.

How does SSL certificate monitoring work?

The SSL certificate monitoring process works by sending automated HTTP requests at a pre-defined frequency to the desired URL and checking the validity of its SSL certificates. HTTP GET requests are usually used as they get the entire website. The pre-defined frequency depends on the specific user need but generally ranges from 30 seconds for business websites up to 10 or more minutes for hobby projects.

The desired response from the monitored URL is that the SSL certificate is valid. If a valid certificate is received, no further action is taken, and the monitoring continues. However, when an invalid certificate is returned, the monitor starts what is called an SSL certificate incident and starts alerting according to the on-call calendar.

Since the expiration date is also monitored, when the expiration date crosses a set threshold (usually 7 or 3 days), an alert is triggered, and an incident is created.

Why do SSL certificates expire?

As with any form of authentication, SSL certificates need to expire so they can be periodically re-validated and security is maintained. The main reasons for SSL expiry are:

Maintaining up to date authentication information

The main reason for the expiration of SSL certificates is the server authentication use-case. The certificate lifecycle needs to be kept limited to provide a reasonable guarantee that the owner of the SSL certificate actually has control over the domain.

Since domains and businesses change hands all the time the certificates must reflect that, and by expiring, they force new owners to get new certificates. If they didn't, someone could purchase a domain together with a certificate and impersonate an old operator of the domain.

Increasing the speed of adoption of new security practices

The other reason for expiration dates is to facilitate improving security standards. By limiting the time a certificate lasts, both users and developers are forced to adopt the most up-to-date security practices. This allows for faster development of the SSL/TLS ecosystem.

What happens when SSL certificates expire?

When an SSL certificate expires, all the benefits of HTTPS are lost. This means that any visitor going on a website will see a security notification from the browser saying that the website doesn't provide a secure connection and that it might be possibly dangerous.

Some browsers might even prevent users from accessing the website altogether (see a google chrome example below).

SSL error

However, the expired SSL certificate doesn't stop an encrypted data flow to and from the website. But even though the encryption is still functional, it doesn't mean that a new SSL certificate deployment should be delayed.

What is an SSL certificate incident?

An SSL certificate incident is a period of time during which a given URL has an invalid SSL certificate. Any users that are trying to use the service during the incident will see a website's security warning page generated by their browser. Those pages differ based on the browser but generally significantly decrease the number of visitors accessing the website.

How to receive SSL certificate incident alerts?

After an incident is spotted by the SSL certificate monitoring tool, it needs to be communicated to the service admins. This process is called incident alerting or on-call alerting. In case of an incident, the person from a team who is currently on-call (has scheduled duty) receives the incident alert.

The most common types of getting alerted by an SSL certificate monitor include automated phone calls, SMS, Slack, and Microsoft Teams messages. Ways of alerting depend on factors like the importance of the monitored service, time of the day, and team preference.

What information do SSL certificate alerts include?

SSL certificate alerts include information about what URL has an SSL certificate error and when it occurred. It also provides information about the error that triggered the incident, specifically the received response and a site screenshot. Screenshots can't be taken everywhere but in the case of website monitoring, they offer a great insight into what went wrong and what customers experienced.

SSL certificate alerts also include a call to action for the on-call person. Those usually have the option to acknowledge the incident or to view the incident.

Process after receiving an alert? The SSL certificate incident resolution process

After an alert is received, it should be acknowledged immediately. If the alert is not acknowledged in a specified time frame (usually 3 minutes), the person next in line on the on-call duty is alerted. This process could continue further until the whole team is alerted. However, the best practice is to have the on-call schedule set up in a way that the first team member is always ready to solve incoming incidents.

Once the incident is acknowledged the escalation process is paused and the team can fully focus on solving it. The speed by which an alert is acknowledged is called Time to acknowledge (TTA). Its average from different incidents called Mean Time to Acknowledge (MTTA) is a widely used incident management metric.

The following steps in the downtime resolution process are individual to different teams and apps. For larger teams, they can include collaborations between a few developers or even teams of developers, delegations of incidents to dedicated team members, and more. There are some best practices that all teams managing incidents should use. These include incident communication (both internal and external) and incident post-mortems.

⏳  How long are SSL certificates valid for?

This depends on the specific certificate authority you are using; however, the expiration periods are getting shorter. For example, Let's Encrypt certificates are valid for 90 days and the recommended period for renewal is every 60 days.

The best practice for handling SSL certificates is to fully automate renewals or set them up with a provider like Cloudflare that handles their renewal for you. It's recommended to set up automated monitoring for the certificates for both cases to ensure that the automated renewals run correctly.

🔭  How to monitor automated SSL certificate renewals?

When using automated tasks like cron jobs to run scheduled SSL certificate renewals, it's a best practice to set up monitoring for those. Cron job monitoring checks whether the automated renewals run correctly and if they don't, you get alerted.

This adds an extra layer of protection to your system as it notifies you right when something goes wrong helping you to troubleshoot and solve the issue before the SSL monitor would notify you about the upcoming certificate expiry.

Commonly used is, for example, monitoring of certbot, which is used to run automated, Let's Encrypt certificate renewals.

Why use SSL certificate monitoring?

Prevent incidents before they occur

SSL monitoring allows you to get alerted before an SSL certificate expires, giving you time to renew it before it becomes invalid, causing an error. This proactive approach is the best way of preventing any SSL certificate-caused incidents.

Fix issues before they affect your users

SSL certificate monitoring is a fully automated process that can run as often as every 30 seconds, which helps to discover any issues right away. In a best-case scenario, any SSL certificate errors are fixed quickly, keeping the number of affected users to a minimum.

Protect your users' data

Although an expired SSL certificate doesn't stop the encryption of the data flow from and to the website, it is a security issue that should be solved immediately. With monitoring, this security flaw can be identified and solved as quickly as possible.

Protect your domain authority

When an SSL certificate expires, all the benefits of authentication and HTTPS are lost. This means that any visitor going on a website will see a security notification from the browser that states that the website might be possibly dangerous. Monitoring helps to prevent any significant decline in visitors.

What are the main benefits and drawbacks of SSL certificate monitoring?

Benefits

  • Automated with regular frequency: SSL monitoring can run every minute, every hour, 24 hours a day, 7 days a week, the whole year. It's a fully automated script, and once set, it needs little to no maintenance while still providing the same valuable information.
  • Simple to set up and use: Monitors for any URL can be set up in minutes while providing the availability information right from the start. Since it gives simple valid/not-valid information, it can be applied widely across websites and apps of different types and use cases.
  • Global testing: It allows for testing from different endpoints around the world. This allows distinguishing regional errors from incidents affecting all users and allows for optimization for a global audience.

Drawbacks

  • Limited downtime cause reporting: SSL certificate monitoring lacks the information to answer why the downtime happened. Since it only monitors the final output and not the actual workings of the app. To get a better idea about the root cause, application performance management (APM) or a log management tool needs to be used.
  • Limited functionality monitoring: Since it only monitors a specific URL's SSL certificate, it can miss smaller issues, which can still significantly interfere with user experience. Those can be issues with signup flow, checkout, or other vital processes. To monitor those transactions or keyword monitoring needs to be used.

Where does SSL certificate monitoring fit in the synthetic monitoring setup?

SSL certificate monitoring is the main but not the only part of the synthetic monitoring toolbox. When it comes to website monitoring, SSL certificate checks are ideally accompanied by basic uptime checks. The best practice is also to set up domain expiration monitoring to prevent any security issues or loss of valuable business assets.

Synthetic monitoring also offers monitoring options like checking an API, DNS, or Transaction monitoring.

How to start SSL certificate monitoring in 2 minutes with Better Uptime?

Better Uptime is an infrastructure monitoring tool that offers SSL certificate monitoring together with regular uptime checks. Here is how to get notified whenever an URL returns an invalid SSL certificate.

  • Once signed up, head to Monitors → Create monitor
  • Enter your URL in the URL to monitor the text field, let’s make it example.com
  • Select the way how you want to get alerted, be it a phone call, Slack notification or an email
  • Click Advanced settings and set the SSL/TLS verification dropdown to On
  • Click create monitor

For more information, explore Better Uptime docs.

Check Uptime, Ping, Ports, SSL and more.
Get Slack, SMS and phone incident alerts.
Easy on-call duty scheduling.
Create free status page on your domain.
Got an article suggestion? Let us know
Next article
What is Domain Expiration Monitoring?
Learn what is domain expiration monitoring, how does it work, what are the benefits and drawbacks and how to set it up.
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.