SSL Certificate Monitoring & Expiry Alerts
Prevent certificate-related outages with continuous monitoring and tiered expiry alerts
SSL certificate expiration is the leading cause of preventable HTTPS outages. Expired certificates cause browser warnings, break API integrations, and erode customer trust. EdgeDNS monitors your certificates continuously, tracking renewals, issuer changes, key rotations, and protocol downgrades — with alerts at configurable thresholds before expiration. Start free on EdgeDNS — 200 requests/month, no credit card required.
The Challenge
Organizations manage hundreds of SSL certificates across production, staging, and internal services — and renewal processes span ACME/Let's Encrypt automation, manual vendor certificates, and wildcard certs across multiple teams. When renewals fail silently or certificates are replaced with weaker configurations, teams find out from customer complaints, not monitoring. The CA/B Forum lifetime schedule turns this from quarterly to weekly work: 200 days on 2026-03-15, then 100 days (2027), then 47 days (2029).
The Solution
Subscribe each domain to scheduled certificate monitoring — checks run every 30 minutes to daily, tracking issuer, expiry, key type, protocol, and chain validity. Pair the monitor with the [SSL endpoint](/guides/domain-ssl), the [cert-chain endpoint](/guides/domain-cert-chain), and the [TLS & Certificate Transparency audit use case](/use-cases/tls-certificate-transparency) for full coverage. Or ask your AI: *"Watch api.acme.com, alert me 30 days before any cert expires, and tell me if the issuer or key type changes."*
Endpoints Used
Combine these EdgeDNS endpoints to build this solution.
/v1/subscriptionsTry in PlaygroundCreate Subscription: Subscribe a domain with cert monitoring enabled and expiry alert threshold
/v1/subscriptions/:id/alertsTry in PlaygroundSubscription Alerts: View cert_change, cert_expiry, and other alerts for this subscription
/v1/subscriptions/:id/check-resultsTry in PlaygroundCheck Results: View all check results including certificate check outcomes
/v1/domain/sslTry in PlaygroundSSL Certificates: On-demand certificate transparency log search for any domain
Results You Can Achieve
30 / 14 / 7-day expiry alerts (configurable)
Notify owners on the configurable thresholds well before browser warnings fire.
Detect issuer / key / protocol downgrades
Catch the subtler regressions: CA change, RSA-to-EC downgrade, missing intermediates.
Private certificate history per organization
Your scheduled checks are not aggregated into public CT-log search corpora.
Code Example
Monitor certificates with expiry alerts
// Subscribe with cert monitoring (check every 4 hours, alert at 30 days)
const sub = await fetch('https://api.edgedns.dev/v1/subscriptions', {
method: 'POST',
headers: {
'Authorization': 'Bearer YOUR_API_KEY',
'Content-Type': 'application/json'
},
body: JSON.stringify({
domain: 'api.example.com',
cert_enabled: true,
cert_interval_minutes: 240,
cert_port: 443,
cert_change_alert: true,
cert_expiry_alert_days: 30,
notification_emails: ['security@company.com']
})
}).then(r => r.json());
// Check for cert-related alerts
const alerts = await fetch(
`https://api.edgedns.dev/v1/subscriptions/${sub.data.id}/alerts`,
{ headers: { 'Authorization': 'Bearer YOUR_API_KEY' } }
).then(r => r.json());
const certAlerts = alerts.data.filter(
a => ['cert_change', 'cert_expiry'].includes(a.alert_type)
);
console.log('Certificate alerts:', certAlerts);Learn More
Explore industry standards and best practices related to this use case.
Ready to build SSL Certificate Monitoring & Expiry Alerts?
Get started with 200 free API requests per month. No credit card required.