SSL Certificate Monitoring: Avoiding Downtime

Why an Expired Certificate Is a Catastrophe

When an SSL certificate expires, browsers display a full-screen warning that blocks access to the site. Users cannot bypass this warning without taking special action. Result: lost traffic, conversions, and trust. Statistics show 85% of users leave a site when they see an SSL error.

Certificate expiration is the most preventable cause of downtime. You always know the expiration date in advance.

What to Monitor

Expiration Date

The primary metric is days until expiration. Set up notifications at 30, 14, and 7 days before expiration. For critical services, add alerts at 3 and 1 day.

Check your certificate's expiration date with the Enterno.io SSL Checker.

Chain of Trust

An SSL certificate works through a chain: your certificate → intermediate CA → root CA. If the intermediate certificate is missing or incorrect, browsers can't verify your certificate's authenticity.

Common issues:

• Missing intermediate certificate in server configuration
• Wrong certificate order in the bundle
• Using a revoked intermediate CA

Protocol and Ciphers

Monitor supported TLS versions and cipher suites:

• TLS 1.2 — minimum acceptable version
• TLS 1.3 — recommended version
• TLS 1.0/1.1 — must be disabled
• Weak ciphers (RC4, 3DES, MD5) — must be disabled

Domain Coverage

The certificate must cover all domains and subdomains in use. A wildcard certificate *.example.com covers subdomains but not example.com itself (needs a SAN entry).

Certificate Transparency

Monitor CT logs for unexpected certificates for your domain. If someone obtained a certificate for your domain without your knowledge, it's a sign of compromise.

Automating Renewal

Let's Encrypt + Certbot

Let's Encrypt issues free certificates valid for 90 days. Certbot automates renewal:

# Install certbot
apt install certbot python3-certbot-nginx

# Obtain certificate
certbot --nginx -d example.com -d www.example.com

# Test auto-renewal
certbot renew --dry-run

# Cron for renewal (usually configured automatically)
0 0,12 * * * certbot renew --quiet

Cloud Providers

AWS Certificate Manager, Cloudflare, Google Cloud provide automatic certificate management without manual intervention.

Commercial Certificates

For OV and EV certificates, auto-renewal is more complex due to manual verification. Start the renewal process 30 days before expiration.

Common Issues

Auto-Renewal Failure

Even with Certbot, auto-renewal can break:

• Port 80 blocked by firewall (needed for HTTP-01 challenge)
• DNS record changed (for DNS-01 challenge)
• Nginx/Apache fails to reload after update
• Certbot not updated and doesn't support new API документацию

Mixed Content After Renewal

A new certificate may change HSTS behavior or subdomain coverage, causing unexpected mixed content errors.

Pinning Issues

If you use HPKP or certificate pinning in mobile apps, certificate replacement can block access. HPKP is deprecated and not recommended.

Monitoring Tools

• Enterno.io SSL Checker — certificate verification, chain of trust, protocols
• Enterno.io Heartbeat — availability monitoring including SSL errors
• Enterno.io Security Scanner — HSTS and related header checks

SSL Monitoring Checklist

1. Set up auto-renewal (Certbot / cloud provider)
2. Monitor expiration date (alerts at 30/14/7/3/1 days)
3. Verify chain of trust after every renewal
4. Test auto-renewal monthly (certbot renew --dry-run)
5. Monitor CT logs for unauthorized certificates
6. Disable deprecated protocols (TLS 1.0/1.1)
7. Document manual renewal procedure as a fallback

Summary

SSL certificate monitoring goes beyond checking expiration dates. Monitor the chain of trust, protocols, cipher suites, and CT logs. Automate renewal but don't blindly trust automation — verify it works. Use Enterno.io tools for regular checks.