Certificate Watchdog
Expired certificates take down entire sites. PulseStack monitors every certificate across all your domains, validates chains, checks TLS versions, and alerts you at 30, 14, 7, and 1 day before expiry.
Free SSL certificate checker
Progressive alerts
Most certificate-related outages happen because someone forgot to renew. The auto-renew process failed silently. The person responsible left the company. The DNS validation token expired. Whatever the reason, an expired certificate shows users a full-screen browser warning that says your site is not safe.
PulseStack sends escalating alerts as expiry approaches. The first notification arrives 30 days out, giving you time to plan. If the certificate is not renewed, alerts become more frequent and more urgent. At 1 day remaining, voice call alerts activate. Click the markers on the timeline to see each escalation level.
Configure which team members receive which alert levels through the integrations dashboard. Send 30-day reminders to a low-priority Slack channel and 1-day alerts as PagerDuty incidents. Combine with domain expiry monitoring to cover both certificates and domain registrations from a single dashboard.
How PulseStack alerts you as expiry approaches
Click a marker on the timeline to see alert details
An unexpired certificate can still break your site. Chain errors, deprecated protocols, and misconfigured SANs cause browser warnings just like expired certs.
Click each level to inspect
Which TLS versions should your server support?
Current standard. Best performance and security.
Still widely used. Secure with proper cipher selection.
Deprecated by all major browsers since 2020.
Known vulnerabilities (BEAST, POODLE). Must be disabled.
Broken. POODLE attack. Never use.
A certificate chain is the trust hierarchy that connects your domain certificate to a root authority that browsers recognise. If any link in the chain is missing, expired, or misconfigured, browsers reject the entire connection. This is one of the most common SSL errors and it usually happens after a certificate renewal when the intermediate is not updated.
PulseStack validates the complete chain on every check. If an intermediate certificate expires or your server stops including it in the handshake, you get alerted before users see a warning. It also tracks Subject Alternative Names (SANs) so you know if a wildcard certificate stops covering a subdomain you need.
TLS 1.0 and 1.1 have known vulnerabilities and are disabled by default in all modern browsers. If your server still supports them, you are exposing users to protocol downgrade attacks. Some PCI DSS compliance frameworks require TLS 1.2 as a minimum. PulseStack flags deprecated protocols automatically.
Monitoring TLS versions from multiple locations is important because load balancers and CDN edges can have different configurations. Your London edge might serve TLS 1.3 while your Singapore edge is stuck on TLS 1.2 with a weak cipher suite. Per-location monitoring catches these inconsistencies.
SSL monitoring is included in every plan. Free for 50 monitors.
Three failure modes that take sites offline, even when the server itself is running perfectly.
When a certificate expires, every major browser blocks access to your site with a full-screen warning. Chrome shows “Your connection is not private.” Firefox shows “Warning: Potential Security Risk Ahead.” Most users will not click through these warnings. They leave, and many will not come back.
The fix takes minutes, but the damage takes days to undo. Microsoft, Starlink, and LinkedIn have all experienced outages caused by expired certificates in recent years. Search engines that crawl during the outage may deindex your pages. Over 35% of users immediately abandon sites showing “Not Secure” warnings and many never return. Proactive monitoring is infinitely cheaper than reactive damage control. HTTP monitoring detects the outage, but SSL monitoring prevents it entirely.
Browser warning preview
Your connection is not private
Attackers might be trying to steal your information from example.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_DATE_INVALID
Auto-renewal tools like Certbot and ACME clients work great until they do not. DNS validation tokens expire. Server permissions change. The cron job that runs Certbot gets disabled during a migration. The renewal fails silently and nobody notices until the certificate expires 60 or 90 days later.
External monitoring is the safety net. Even if your internal tooling says everything is fine, PulseStack connects to your server from the outside and verifies what browsers actually see. If the certificate served to visitors differs from what your renewal tool thinks is installed, you know immediately. Add cron monitoring to watch the renewal job itself.
Common renewal failure modes
Starting in early 2026, major certificate authorities including DigiCert and Sectigo are moving to 200-day maximum certificate lifespans, down from the current 398 days. This means certificates will need renewing roughly twice a year instead of once. For agencies and enterprise teams managing certificates across dozens or hundreds of domains, each with different CAs and renewal methods, tracking all of this in a spreadsheet is no longer viable. One forgotten subdomain takes down a client project.
PulseStack automatically discovers and monitors certificates for every HTTPS endpoint you add. When you set up website monitoring or API monitoring, SSL tracking activates automatically. View all certificates from a single dashboard, sorted by days remaining, so you always know which ones need attention next. Pair with port monitoring to verify that port 443 is accepting connections alongside the certificate check.
Certificate inventory
50 monitors free forever. SSL certificate monitoring included in every plan.
Most popular
£29/month
All plans include SSL monitoring, incident management, and public status pages. Full plan comparison →
SSL monitoring works best alongside these other checks.
Everything you need to know about SSL certificate monitoring.
SSL monitoring for every domain. Free for 50 monitors, no credit card required.
Start monitoring certificates free