Webmasters always have their hands full with everything from user experience, search engine optimization and last but not least, SSL certificates. While some may not prioritize SSL certificates, they are still critical to the correct operation of your websites.
Because Secure Layer Certificates are so important, monitoring them is a must! To help you get started, we’ve compiled a list of the top 10 best tools for monitoring SSL certificates for validity, expiry, and change.
Why Is an SSL Certificate Important for Your Website?
An SSL certificate will convey your identity to your users and improve your customers’ trust. At the same time, it’s one of the PCI/DSS requirements, allowing you to handle sensitive information and process payments online.
Lastly, search engines prioritize content from sites that have SSL, making the secure certificates a priority when it comes to SEO. Google has gone a step further in 2018 when they announced that they will start flagging websites that do not have a valid SSL/TLS certificate on their website. In other words, using valid SSL certificates is a must, and since SSL certificates have expiration dates, monitoring them for validity and expiration dates in the near future is critical to ensuring you don’t end up with an invalid or expired certificate, get punished by Google and lose trust and revenue from your customers.
How Does an SSL Certificate Work?
To better understand how a certificate works we need to look at its components. There are three types of certificates:
- A root certificate that belongs to the certificate authority
- An intermediate certificate that acts as an intermediary between
- The root certificate and the server certificate which is the certificate issued to a specific domain.
A certificate chain is the list of these three certificates that are contained in the SSL certificate. The chain begins with the root certificate and ends with the certificate issued by the authorities. It can have multiple intermediate certificates that act as middlemen between the two.
Whenever a browser attempts to connect to a website that is secured with an SSL certificate, it will message the server to initiate the SSL/TLS communication. The server will respond with an encrypted certificate to the client where it’s going to be checked and sent back to the server. If the check passes, the key and the content will be sent to the client where it will be decrypted, completing the process, also called an SSL/TLS handshake. Otherwise, if the certificate is not ok, the communication will fail.
What Happens When My SSL Certificate Expires?
Similar to how your insurance needs to be renewed every year or so, your SSL certificate will need to renew before it expires. You will probably have to do this every year but there are certificates that are valid for up to 3 years. It’s critical that you know exactly when your certificate will expire.
When it does expire, you’ll be met with a message similar to the one below, and while you could technically use the service or website, most people will click the Back to Safety button and go back. Guess what happens to any revenue you get from your site when this occurs?
Because calling HTTPS APIs from a web page served via HTTP, say due to an expired SSL certificate, is not secure, third party APIs you are web site is calling will result in a 401 error or a Mixed Content error. Things will break. Your visitors and customers will see it. This can be especially bad if these APIs are user-facing or business-critical components of the website like the login system or a payment processor. You don’t want to be that website, trust me!
To avoid such issues you’ll want to monitor your SSL certificates closely with a certificate monitoring tool. More often than not, the solutions available today perform various other monitoring tasks such as API monitoring, website monitoring or page load testing. These are called synthetic monitoring tools or proactive monitoring tools. One such tool is Sematext Synthetics, which I’ll review below along with similar SaaS solutions but also tools designed especially to monitor SSL certificates.
How to Monitor SSL Certificates: Top 10 SSL Certificate Monitoring Tools
1. Sematext Synthetics
Sematext Synthetics performs multiple SSL checks on all certificates in the chain on an ongoing basis, 24 hours a day, 7 days a week, 365 days a year. There are SSL checks done every time an API check is run, which can be anywhere from 1 minute to 1 hour, a certificate change every 10 minutes and a certificate expiry that’s done every day.
The SSL certificate details are saved in the dashboard as well as the complete details of every failed run.
Sematext features two separate monitors:
- The HTTP monitor checks the chain validity, expiration date, name constraints, and more.
- The Browser monitor uses a real Google Chrome browser and besides the tests done by the HTTP monitor, it also checks if the certificate was revoked, uses a weak signature or a weak key, and if it has Certificate Transparency data.
If one of these monitors is to fail, Sematext will send a notification through one of the many channels available, from the custom notification hooks to Slack, Zapier, Twilio, VictorOps and many more.
It’s worth noting that Sematext Synthetics does not work with self-signed certificates, therefore any checks on APIs using a self-signed certificate will fail. This is due to the fact that by default, web clients like browsers and API clients do not trust the self-signed certificate themselves.
Sematext Synthetics comes with a free trial and plans start from $29/month and offer 40 HTTP and 5 browser monitors with data retention of 30 days. Besides the regular plan, you can also choose a Pay-as-you-go plan that allows you to get individual monitors for as low as $2/month.
TrackSSL is a simple SSL certificate monitoring service that checks for the most common issues and sends out notifications in case of failure. TrackSSL will also notify you when there is a pending expiry, weak signatures or any issues in the chain. Note that its notifications support are limited to email and Slack.
While it might be easy to view TrackSSL as a one-trick pony which, in all fairness, it does appear to be, but it does the job right and to the point. The integration with Slack will speed up the communication with your DevOps team making it easier to identify and solve any problems that might arise.
The pricing is rather simple with 3 premium plans ranging in price from $25 to $99/year based on the number of tracked domains. TrackSSL also offers a free plan that allows you to monitor up to 2 domains.
Pingdom is one of the more synthetic monitoring solutions offering a slew of information about your SSL certificates. It gives you the option to set up alerts for whenever your certificate expires, is about to expire, or is, for whatever reason, invalid.
Pingdom offers SSL certificate monitoring part of their Uptime monitors packages and allows you to manually set the number of days you’ll get the notification before the certificate expires. The notifications will be delivered via their own app, SMS, email and other 3rd party integrations.
Pricing for the tool starts at $10 per month for 10 uptime checks and there’s a free 14-day trial to test-drive everything they have to offer.
With Smartbear you’ll be able to have URL monitors for your website and make sure your SSL/TLS certificate does not expire without you knowing. From the Smartbear AlertSite section you can set an alert to notify you 1, 7, 15, or 30 days before your certificate expires. This will give you plenty of time to make the necessary arrangements and make sure your certificates are always up to date.
Smartbear can only send Expired SSL Certificates reports for URL Monitors, meaning that if you have a real-browser monitor or an API endpoint monitor setup, you won’t be getting any alerts. You won’t get any alerts if the certificate has been updated either. While setting up individual Single URL monitors for each certificate you are trying to monitor can be a pain, it does allow for a more granular customization of your monitoring solution.
If you’re interested in trying it, there’s a free trial available but you’ll have you contact their sales team first to get information on their pricing.
Keychest is a bit different from other SSL certificate monitoring tools as it can automatically discover your new certificates as they are created. Instead of having you add certificate details manually, Keychest will look them up and track their progress from configuration to expiration.
Keychest will provide detailed information about the certificate from the key length and type (not unlike most other tools listed here), endpoints where a certificate is used, renewal line – previous certificates and their expiration and the renewal process.
When it comes to pricing, things are rather simple. There’s a free plan that’s better suited for personal use and three Business plans with prices running from $49 to $99 per month.
Site24x7 proactively monitors your SSL/TLS certificate, watches out for any certificate revocation, does SHA-1 fingerprint check to verify the integrity of the certificate and more. You can use it to continuously monitor and manage the SSL/TLS certificate of services like HTTPS, SMTP, POP, IMAP and FTP from over 90+ key locations from around the world.
Like all the other tools mentioned above, Site24x7 does automatic SSL/TLS certificate monitoring for all the deployed certificates, helping you maintain trust and credibility by improving website availability.
Site24x7 has a simple pricing scheme with several plans starting from $10 per month and going up to $445 per month. There’s also a “free forever plan” as well as a 30 day free trial.
Sucuri may come as a surprise to some but nevertheless, a great solution to monitor any changes to your SSL/TLS certificates. Any alteration to your certificates triggers an alert that will be delivered via email and unlike other similar tools, Sucuri only relies on email to send notifications. It’s worth noting that Sucuri doesn’t tell you when the change occurred but only if it happened.
While Sucuri lacks most of the monitoring features that other similar SaaS tools have, it’s important to understand that the software is advertised as a website security solution first and a monitoring tool second.
Pricing for Sucuri starts at $199 per year and goes up to $499 per year.
8. SSL Certificate Expiration Alerts
Not unlike some of the other examples in this list, SSL Certificate Expiration Alerts is a simple monitoring tool that does exactly what it advertises in the title – sends a quick alert when the certificate expires. This minimal system lacks the configuration that other similar tools might offer, but promises to do the simple job it was designed for quite well.
9. Certificate Expiry Monitor
Certificate Expiry Monitor is a simple open source project that allows you to export the expiration of the SSL certificate as a Prometheus metric. For some, a tool like this might not sound especially useful but keep in mind that there are developers that have their own monitoring tool.
With detailed documentation and a simple installation process, Certificate Expiry Monitor provides detailed information about the SSL certificate straight into Prometheus.
10. SSL Certification Expiration Checker
A bit of a mouthful, I’ll give you that, but since it’s open source and quite effective I figured it should make the list. It’s a simple shell script that can be run from a cron job and report back on expiring SSL certificates. It uses Nagios to send a warning email when the certificate is about to expire.
While it lacks all the bells and whistles that most other SSL certificate monitoring tools offer, it does one simple task and does it well. To see all the configuration options available you just need to use
"$ ssl-cert-check -h". This will display a list of all the available commands that SSL Certification Expiration Checker has to offer.
How to Choose the Right SSL Certificate Monitoring Tool for You?
There are lots of solutions that you can use to monitor SSL certificates but not all are created equal. Some serve one simple purpose while others have a lot of secondary uses like synthetic monitoring or real user monitoring features.
Understanding when your SSL certificate expires or is for whatever reason invalid is only one part of the information you need to have to deliver a complete experience for your users. You want to really understand what your users are experiencing when browsing your websites and make sure that your resources are available and working at all times and that’s something beyond the scope of SSL certificate monitoring.
But I digress. Picking one tool over another will be largely based on what monitoring solutions you already have at the moment. While it’s extremely important to have your certificate working 100% of the time, there are other aspects, like I’ve already mentioned above, that are of equal or greater importance. That means that the SSL monitoring feature should complement the existing website monitoring solution.
Moreover, it might be wise to consider SSL monitoring solutions that are a part of a wider monitoring platform also capable of infrastructure monitoring, log monitoring, etc. Using such an all-in-one solution will increase your productivity, the speed at which you can troubleshoot and fix issues, share access to key monitoring data with the team and even reduce costs and make vendor management simpler, all things worth taking into account.
On the other hand, if you are just looking for a simple SSL certificate a tool like TrackSSL might do it for you. I’d be remiss not to mention the open-source options I’ve spoken about. They are solid options and can be integrated quite easily into your existing environments.