SSL Certificate Monitoring
How SSL Monitoring Works
SSL/TLS certificate checks run automatically on every HTTPS check, for both API monitors and uptime monitors. There is no separate SSL monitor to create or configure: as soon as a check targets an https:// URL, LoadFocus inspects the certificate on every run.
That means certificate coverage comes for free with the monitoring you already have. Every scheduled run refreshes the certificate data, so an unexpected change, such as a swapped issuer or a shortened validity window, shows up quickly.
The Warning Schedule
Expiry warnings are emailed at 14, 7, 3 and 0 days before the certificate expires, to the email address on the check.
The 14-day first warning is deliberate. Healthy Let's Encrypt setups auto-renew at about 30 days remaining, so a 30-day warning would fire on every normal rotation and train you to ignore it. If your certificate reaches 14 days remaining, renewal has genuinely stalled and it is time to act.
You get one warning per threshold per certificate, even when the check runs from many regions, so a multi-region check does not multiply the emails.
What Is Captured
Each check captures:
- Validity of the certificate.
- Issuer and subject.
- Valid-from and valid-to dates.
- Days remaining until expiry.
Renewal and Re-Arming
Warnings re-arm automatically when the certificate is renewed. As soon as the expiry date changes, the warning ladder resets, so you get a fresh set of 14, 7, 3 and 0 day warnings for each certificate lifetime. No manual reset or acknowledgement is needed.
One-Off Checks
For a one-off instant certificate inspection, without creating any check, use the free SSL Checker. It is handy for verifying a renewal right after you deploy it.
Read more about continuous certificate coverage on the SSL Monitoring page. To set up the HTTPS checks that carry these certificate checks, see How to Create a New API Check.