SSL certificate monitoring is an automated way of checking whether an SSL
certificate is valid and when it expires. When a website's SSL certificate
becomes invalid or close to the expiration date, the SSL monitoring spots the
issue and alerts the right person on the development team.
In this article, you will learn the following:
What is SSL certificate monitoring and how does it work.
Why do SSL certificates expire and what happens when they do.
Overview of on-call alerting and incident management process of SSL certificate incidents.
How long are SSL certificates valid for and how to monitor automated renewals.
What are the benefits and drawbacks of using SSL certificate monitoring.
How to set up basic SSL certificate monitoring of a website.
How does SSL certificate monitoring work?
The SSL certificate monitoring process works by sending
automated HTTP requests
at a pre-defined frequency to the desired URL and checking the validity of its
SSL certificates. HTTP GET requests are usually used as they get the entire
website. The pre-defined frequency depends on the specific user need but
generally ranges from 30 seconds for business websites up to 10 or more minutes
for hobby projects.
The desired response from the monitored URL is that the SSL certificate is
valid. If a valid certificate is received, no further action is taken, and the
monitoring continues. However, when an invalid certificate is returned, the
monitor starts what is called an SSL certificate incident and starts alerting
according to the on-call calendar.
Since the expiration date is also monitored, when the expiration date crosses a
set threshold (usually 7 or 3 days), an alert is triggered, and an incident is
Why do SSL certificates expire?
As with any form of authentication, SSL certificates need to expire so they can
be periodically re-validated and security is maintained. The main reasons for
SSL expiry are:
Maintaining up to date authentication information
The main reason for the expiration of SSL certificates is the server
authentication use-case. The certificate lifecycle needs to be kept limited to
provide a reasonable guarantee that the owner of the SSL certificate actually
has control over the domain.
Since domains and businesses change hands all the time the certificates must
reflect that, and by expiring, they force new owners to get new certificates. If
they didn't, someone could purchase a domain together with a certificate and
impersonate an old operator of the domain.
Increasing the speed of adoption of new security practices
The other reason for expiration dates is to facilitate improving security
standards. By limiting the time a certificate lasts, both users and developers
are forced to adopt the most up-to-date security practices. This allows for
faster development of the SSL/TLS ecosystem.
What happens when SSL certificates expire?
When an SSL certificate expires, all the benefits of HTTPS are lost. This means
that any visitor going on a website will see a security notification from the
browser saying that the website doesn't provide a secure connection and that it
might be possibly dangerous.
Some browsers might even prevent users from accessing the website altogether
(see a google chrome example below).
However, the expired SSL certificate doesn't stop an encrypted data flow to and
from the website. But even though the encryption is still functional, it doesn't
mean that a new SSL certificate deployment should be delayed.
What is an SSL certificate incident?
An SSL certificate incident is a period of time during which a given URL has an
invalid SSL certificate. Any users that are trying to use the service during the
incident will see a website's security warning page generated by their browser.
Those pages differ based on the browser but generally significantly decrease the
number of visitors accessing the website.
The most common types of getting alerted by an SSL certificate monitor include
automated phone calls, SMS, Slack, and Microsoft Teams messages. Ways of
alerting depend on factors like the importance of the monitored service, time of
the day, and team preference.
What information do SSL certificate alerts include?
SSL certificate alerts include information about what URL has an SSL certificate
error and when it occurred. It also provides information about the error that
triggered the incident, specifically the received response and a site
screenshot. Screenshots can't be taken everywhere but in the case of website
monitoring, they offer a great insight into what went wrong and what customers
SSL certificate alerts also include a call to action for the on-call person.
Those usually have the option to acknowledge the incident or to view the
Process after receiving an alert? The SSL certificate incident resolution process
After an alert is received, it should be acknowledged immediately. If the alert
is not acknowledged in a specified time frame (usually 3 minutes), the person
next in line on the on-call duty is alerted. This process could continue further
until the whole team is alerted. However, the best practice is to have the
on-call schedule set up in a way that the first team member is always ready to
solve incoming incidents.
Once the incident is acknowledged the escalation process is paused and the team
can fully focus on solving it. The speed by which an alert is acknowledged is
called Time to acknowledge (TTA). Its average from different incidents called
Mean Time to Acknowledge (MTTA) is a widely used incident management
The following steps in the downtime resolution process are individual to
different teams and apps. For larger teams, they can include collaborations
between a few developers or even teams of developers, delegations of incidents
to dedicated team members, and more. There are some best practices that all
teams managing incidents should use. These include incident communication (both
internal and external) and incident post-mortems.
⏳ How long are SSL certificates valid for?
This depends on the specific certificate authority you are using; however, the expiration periods are getting shorter. For example, Let's Encrypt certificates are valid for 90 days and the recommended period for renewal is every 60 days.
The best practice for handling SSL certificates is to fully automate renewals or set them up with a provider like Cloudflare that handles their renewal for you. It's recommended to set up automated monitoring for the certificates for both cases to ensure that the automated renewals run correctly.
🔭 How to monitor automated SSL certificate renewals?
When using automated tasks like cron jobs to run scheduled SSL certificate renewals, it's a best practice to set up monitoring for those. Cron job monitoring checks whether the automated renewals run correctly and if they don't, you get alerted.
This adds an extra layer of protection to your system as it notifies you right when something goes wrong helping you to troubleshoot and solve the issue before the SSL monitor would notify you about the upcoming certificate expiry.
Commonly used is, for example, monitoring of certbot, which is used to run automated, Let's Encrypt certificate renewals.
Why use SSL certificate monitoring?
Prevent incidents before they occur
SSL monitoring allows you to get alerted before an SSL certificate expires,
giving you time to renew it before it becomes invalid, causing an error. This
proactive approach is the best way of preventing any SSL certificate-caused
Fix issues before they affect your users
SSL certificate monitoring is a fully automated process that can run as often as
every 30 seconds, which helps to discover any issues right away. In a best-case
scenario, any SSL certificate errors are fixed quickly, keeping the number of
affected users to a minimum.
Protect your users' data
Although an expired SSL certificate doesn't stop the encryption of the data flow
from and to the website, it is a security issue that should be solved
immediately. With monitoring, this security flaw can be identified and solved as
quickly as possible.
Protect your domain authority
When an SSL certificate expires, all the benefits of authentication and HTTPS
are lost. This means that any visitor going on a website will see a security
notification from the browser that states that the website might be possibly
dangerous. Monitoring helps to prevent any significant decline in visitors.
What are the main benefits and drawbacks of SSL certificate monitoring?
Automated with regular frequency: SSL monitoring can run every minute,
every hour, 24 hours a day, 7 days a week, the whole year. It's a fully
automated script, and once set, it needs little to no maintenance while still
providing the same valuable information.
Simple to set up and use: Monitors for any URL can be set up in minutes
while providing the availability information right from the start. Since it
gives simple valid/not-valid information, it can be applied widely across
websites and apps of different types and use cases.
Global testing: It allows for testing from different endpoints around the
world. This allows distinguishing regional errors from incidents affecting all
users and allows for optimization for a global audience.
Limited downtime cause reporting: SSL certificate monitoring lacks the
information to answer why the downtime happened. Since it only monitors the
final output and not the actual workings of the app. To get a better idea
about the root cause, application performance management (APM) or a
log management tool needs to be used.
Limited functionality monitoring: Since it only monitors a specific URL's
SSL certificate, it can miss smaller issues, which can still significantly
interfere with user experience. Those can be issues with signup flow,
checkout, or other vital processes. To monitor those transactions or keyword
monitoring needs to be used.
Where does SSL certificate monitoring fit in the synthetic monitoring setup?
Synthetic monitoring also offers monitoring options like checking an
API, DNS, or Transaction
How to start SSL certificate monitoring in 2 minutes with Better Uptime?
Better Uptime is an infrastructure monitoring tool
that offers SSL certificate monitoring together with regular uptime checks. Here
is how to get notified whenever an URL returns an invalid SSL certificate.