Monitor SSL certificate expiry

Expired certificates remain one of the most common self-inflicted outages, and they are entirely preventable. The hard part is not any single certificate, it is keeping track of dozens of them across domains, subdomains, and services that different teams own.

Why expiry still bites in the age of automation

Automated issuance was supposed to end expiry outages, and for simple sites it mostly has. But the renewals quietly fail in the gaps: a host where the renewal cron broke, an internal service nobody automated, a load balancer with a manually uploaded certificate, or a domain whose validation method stopped working. Automation covers the happy path; the outages live in the exceptions.

What to watch, beyond the date

The expiry date is the headline, but a useful check also surfaces:

Days remaining, so you can act on a threshold (renew at 30 days, alert at 14) rather than on the day itself.
Chain completeness, because a renewed leaf with a missing intermediate fails just as hard as an expired one.
Hostname match, in case a certificate was renewed for the wrong set of names.
The issuing CA, to catch a host that silently fell back to a self-signed or untrusted certificate.

Checking in bulk

Checking one host is easy; the value is checking your whole estate in one pass so nothing slips through. The Bulk SSL Checker inspects up to twenty hosts at once and reports expiry, days remaining, chain status, and trust for each. For a deeper look at any single certificate it flags, the how to read an SSL certificate guide explains every field.