Webmasters always have their hands full with everything from user experience, search engine optimization and last but not least, SSL certificates. While some may not prioritize SSL certificates, they are still critical to the correct operation of your websites. Because Secure Layer Certificates are so important, monitoring them is a must! To help you get started, we’ve compiled a list of the top 10 best tools for monitoring SSL certificates for validity, expiry, and change.
Why Is an SSL Certificate Important for Your Website?
An SSL certificate will convey your identity to your users and improve your customers’ trust. At the same time, it’s one of the PCI/DSS requirements, allowing you to handle sensitive information and process payments online. Lastly, search engines prioritize content from sites that have SSL, making the secure certificates a priority when it comes to SEO. Google has gone a step further in 2018 when they announced that they will start flagging websites that do not have a valid SSL/TLS certificate on their website. In other words, using valid SSL certificates is a must, and since SSL certificates have expiration dates, monitoring them for validity and expiration dates in the near future is critical to ensuring you don’t end up with an invalid or expired SSL certificate, get punished by Google and lose trust and revenue from your customers.
How Does an SSL Certificate Work?
To better understand how a certificate works we need to look at its components. There are three types of certificates:
- A root certificate that belongs to the certificate authority (CA)
- An intermediate certificate that acts as an intermediary between
- The root certificate and the server certificate which is the certificate issued to a specific domain.
A certificate chain is the list of these three certificates that are contained in the SSL certificate. The chain begins with the root certificate and ends with the certificate issued by the authorities. It can have multiple intermediate certificates that act as middlemen between the two. Whenever a browser attempts to connect to a website that is secured with an SSL certificate, it will message the server to initiate the SSL/TLS communication. The server will respond with an encrypted certificate to the client where it’s going to be checked and sent back to the server. If the check passes, the key and the content will be sent to the client where it will be decrypted, completing the process, also called an SSL/TLS handshake. Otherwise, if the certificate is not ok, the communication will fail.
What Happens When My SSL Certificate Expires?
Similar to how your insurance needs to be renewed every year or so, your SSL certificate will need to renew before it expires. You will probably have to do this every year but there are certificates that are valid for up to 3 years. It’s critical that you know exactly when your certificate will expire. When it does expire, you’ll be met with a message similar to the one below, and while you could technically use the service or website, most people will click the Back to Safety button and go back. Guess what happens to any revenue you get from your site when this occurs? Because calling HTTPS APIs from a web page served via HTTP, say due to an expired SSL certificate, is not secure, third-party APIs you are web site is calling will result in a 401 error or a Mixed Content error. Things will break. Your visitors and customers will see it. This can be especially bad if these APIs are user-facing or business-critical components of the website like the login system or a payment processor. You don’t want to be that website, trust me! To avoid such issues you’ll want to monitor your SSL certificates closely with a certificate monitoring tool. More often than not, the solutions available today perform various other monitoring tasks such as API monitoring, website monitoring, or page load testing. These are called synthetic monitoring tools or proactive monitoring tools. One such tool is Sematext Synthetics, which I’ll review below along with similar SaaS solutions but also tools specially designed to monitor SSL certificates.
How to Monitor SSL Certificates: Top 10 SSL Certificate Monitoring Tools
1. Sematext Synthetics
Sematext Synthetics performs multiple SSL checks on all certificates in the chain on an ongoing basis, 24 hours a day, 7 days a week, 365 days a year. There are SSL checks done every time an API check is run, which can be anywhere from 1 minute to 1 hour, a certificate change every 10 minutes, and a certificate expiry that’s done every day. The SSL certificate details are saved in the dashboard as well as the complete details of every failed run. Sematext features two separate monitors:
- The HTTP monitor checks the chain validity, expiration date, name constraints, and more.
- The Browser monitor uses a real Google Chrome browser and besides the tests done by the HTTP monitor, it also checks if the certificate was revoked, uses a weak signature or a weak key, and if it has Certificate Transparency data.
If one of these monitors is to fail, Sematext will send a notification through one of the many channels available, from the custom notification hooks to Slack, Zapier, VictorOps, and many more. It’s worth noting that Sematext Synthetics does not work with self-signed certificates, therefore any checks on APIs using a self-signed certificate will fail. This is due to the fact that by default, web clients like browsers and API clients do not trust the self-signed certificate themselves. Sematext Synthetics comes with a free trial and plans start from $29/month and offer 40 HTTP and 5 browser monitors with data retention of 30 days. Besides the regular plan, you can also choose a Pay-as-you-go plan that allows you to get individual monitors for as low as $2/month. Watch the video below to learn more about Sematext Synthetics.
TrackSSL is a simple SSL certificate monitoring service that checks for the most common issues and sends out notifications in case of failure. TrackSSL will also notify you when there is a pending expiry, weak signatures, or any issues in the SSL certificate chain. Note that its notifications support is limited to email and Slack. While it might be easy to view TrackSSL as a one-trick pony which, in all fairness, it does appear to be, but it does the job right and to the point. The integration with Slack will speed up the communication with your DevOps team making it easier to identify and solve any problems that might arise. The pricing is rather simple with 3 premium plans ranging in price from $17 to $136/year based on the number of tracked domains. TrackSSL also offers a free plan that allows you to monitor up to 2 domains.
3. SolarWinds Pingdom
Pingdom is one of the more synthetic monitoring solutions offering a slew of information about your SSL certificates. It gives you the option to set up alerts for whenever your certificate expires, is about to expire, or is, for whatever reason, invalid. Pingdom offers SSL certificate monitoring part of their Uptime monitors packages and allows you to manually set the number of days you’ll get the notification before the certificate expires. The notifications will be delivered via their own app, SMS, email, and other third-party integrations. Pricing for the tool starts at $10 per month for 10 uptime checks and there’s a free 14-day trial to test-drive everything they have to offer.
Want to see how Sematext stacks up? Check out our page on Sematext vs Pingdom.
With Smartbear you’ll be able to have URL monitors for your website and make sure your SSL/TLS certificate does not expire without you knowing. From the Smartbear AlertSite section you can set an alert to notify you 1, 7, 15, or 30 days before your certificate expires. This will give you plenty of time to make the necessary arrangements and make sure your certificates are always up to date. Smartbear can only send Expired SSL Certificates reports for URL Monitors, meaning that if you have a real-browser monitor or an API endpoint monitor setup, you won’t be getting any alerts. You won’t get any alerts if the certificate has been updated either. While setting up individual Single URL monitors for each certificate you are trying to monitor can be a pain, it does allow for a more granular customization of your monitoring solution. If you’re interested in trying it, there’s a free trial available but you’ll have you contact their sales team first to get information on their pricing.
Keychest is a bit different from other SSL certificate monitoring tools as it can automatically discover your new certificates as they are created. Instead of having you add certificate details manually, Keychest will look them up and track their progress from configuration to expiration. Keychest will provide detailed information about the certificate from the key length and type (not unlike most other tools listed here), endpoints where a certificate is used, renewal line – previous certificates and their expiration and the renewal process. When it comes to pricing, things are rather simple. There’s a free plan that’s better suited for personal use and three Business plans with prices available by inquiry.
Site24x7 proactively monitors your SSL/TLS certificate, watches out for any certificate revocation, does SHA-1 fingerprint check to verify the integrity of the certificate and more. You can use it to continuously monitor and manage the SSL/TLS certificate of services like HTTPS, SMTP, POP, IMAP and FTP from over 90+ key locations from around the world. Like all the other tools mentioned above, Site24x7 does automatic SSL/TLS certificate monitoring for all the deployed certificates, helping you maintain trust and credibility by improving website availability. Site24x7 has a simple pricing scheme with several plans starting from $9 per month and going up to $225 per month. There’s also a “free forever plan” as well as a 30 day free trial.
Want to see how Sematext stacks up? Check out our page on Sematext vs Site24x7.
Sucuri may come as a surprise to some but nevertheless, a great solution to monitor any changes to your SSL/TLS certificates. Any alteration to your certificates triggers an alert that will be delivered via email and unlike other similar tools, Sucuri only relies on email to send notifications. It’s worth noting that Sucuri doesn’t tell you when the change occurred but only if it happened. While Sucuri lacks most of the monitoring features that other similar SaaS tools have, it’s important to understand that the software is advertised as a website security solution first and a monitoring tool second. Pricing for Sucuri starts at $199 per year and goes up to $499 per year.
8. SSL Certificate Expiration Alerts
Not unlike some of the other examples in this list, SSL Certificate Expiration Alerts is a simple monitoring tool that does exactly what it advertises in the title – sends a quick alert when the certificate expires. This minimal system lacks the configuration that other similar tools might offer but promises to do the simple job it was designed for quite well.
9. Certificate Expiry Monitor
Certificate Expiry Monitor is a simple open source project that allows you to export the expiration of the SSL certificate as a Prometheus metric. For some, a tool like this might not sound especially useful but keep in mind that there are developers that have their own monitoring tool. With detailed documentation and a simple installation process, Certificate Expiry Monitor provides detailed information about the SSL certificate straight into Prometheus.
10. SSL Certification Expiration Checker
A bit of a mouthful, I’ll give you that, but since it’s open source and quite effective I figured it should make the list. It’s a simple shell script that can be run from a cron job and report back on expiring SSL certificates. It uses Nagios to send a warning email when the certificate is about to expire. While it lacks all the bells and whistles that most other SSL certificate monitoring tools offer, it does one simple task and does it well. To see all the configuration options available you just need to use “$ ssl-cert-check -h”. This will display a list of all the available commands that SSL Certification Expiration Checker has to offer.
11. Status Cake
StatusCake is one of the most popular uptime monitoring tool, which also features SSL monitoring. It allows you to ensure your certificates are valid and up-to-date, by alerting you when they are close to expiring or have already expired. You can also use it to check for any vulnerabilities in the SSL chain, such as insecure protocols or cipher suites, and provides recommendations on how to fix them. With such capabilities, you can have peace of mind that your users’ data is protected and they benefit from a secure browsing experience. Additionally, the tool offers detailed reporting and analytics, enabling you to track the performance of your SSL certificates’ performance. Status Cake pricing plans range from $20 per month to $66 per month. There’s also a free plan available as well as a 7-day free trial.
UptimeRobot offers SSL certificate monitoring tools that allows you to monitor up to 50 URLs. You can setup SSL monitors within your website’s main HTTPS monitoring to receive automatic notifications of any SSL certificate errors, including certificate expiry. Alerts are sent 30, 14, 7, and 1 day before the expiration date, giving you plenty of time to renew your SSL certificate. Its drawback however, is that users cannot specify how many notifications to received or who to send them to. But it integrates with various notification channels such as email, SMS, calls, or applications like Slack or MS Teams. You can monitor SSL certificates and use the Heartbeat monitor to keep an eye on your cron jobs with the Pro Plan. UptimeRobot pricing ranges from $7 per month to $54 per month. There is also a free plan available.
Want to see how Sematext stacks up? Check out our page on Sematext vs Uptime Robot.
13. Better Uptime
Better Uptime is an uptime monitoring tool that includes Cron jobs and SSL monitoring, HTTP(s) keyword checks, heartbeat, multi-step verification, Ping and Port monitoring, among other features. Better Uptime monitors your website every 30 seconds and from multiple locations, ensuring that no location-related errors or false alarms are missed. Better Uptime also support multiple third-party solutions, including Prometheus, Graphana, Zabbix, GCP and Azure. When investigating events, its reporting and analytics features allow you to validate Service Level Agreements (SLA), review historical uptime and better understand occurrences in context by utilizing incident cause synthesis. Pricing for Better Uptime ranges from $24 per month to $160 per month. There is also a free plan available.
Updown.io is am easy-to-use monitoring tool that helps you keep track of all your websites. To start monitoring your SSL certificates, just enter the URL of the website you are trying to keep track of and select how frequently you want it to be checked, ranging from every 15 seconds to every each hour. For increased flexibility, instead of monitoring a single HTTP status, you may monitor a request instead. Updown.io integrates with a variety of different applications, including SMS, Slack, Statuspages, Telegram, Webhook and Zapier. The solution is reasonably priced, with prices varying according on the number of websites monitored and the frequency of monitoring. Users are charged on a pay-as-you-go basis.
15. Oh Dear
Oh Dear monitors uptime, validates SSL certificates, crawls for broken links, and provides alerts when something goes wrong. All of this is complemented by a developer-friendly API and excellent documentation. They also provide a robust API for integrating Oh Dear into your own platforms. There’s a slew of products that already work with Oh Dear, including a CLI tool, a Raycast extension, a WordPress plugin, and more. Pricing ranges from $17 per month to $240+ per month. There is also a 10-day free trial available.
|Tool||Best for||Features||Free Trial||Price|
|Sematext||Synthetic Monitoring||Uptime & API Monitoring, SSL Certificate Monitoring, etc.||14 Days||From $2 per monitor|
|TrackSSL||Monitoring website SSL and TLS certificates||Set up SSL expiry notifications, Monitor SSL Changes, SSL Certificate Transparency Alerts.||N/A||From $17/month.|
|Pingdom||Web performance and website monitoring||Uptime & API Monitoring, Page Speed Analysis, etc.||30 Days||From $10/month|
|Smartbear||Web, Cloud, SLA, API, Mobile and Application Monitoring||Hybrid Deployment, DéjàClick, Alerts, Reporting & Analytics, AlertSite APIs, Single Sign-On (SSO) etc.||30 Days||By inquiry|
|KeyChest||Monitoring website SSL and TLS certificates||Get certificates & end-points discovered, Pending expirations alerts, Integration API, Audit domains instantly, Define internal/custom CAs||N/A||By inquiry|
|Site24x7||DevOps and IT Operations teams to monitor performance||Monitoring REST APIs, SOAP web service, etc.||30 Days||From $9/month|
|Sucuri||Complete Website Security, Protection & Monitoring||Malware, Whois, SSL, DNS and Blacklisting scans||N/A||From $199/year|
|SSL Certificate Expiration Alerts||Monitoring website SSL and TLS certificates||Expiring SSL email alerting||N/A||N/A|
|Certificate Expiry Monitor||Monitoring website SSL and TLS certificates||Exposes a Prometheus endpoint||N/A||N/A|
|SSL Certification Expiration Checker||Monitoring web server SSL and TLS certificates||Can be run from a cronjob, wildcard support, email alerts||N/A||N/A|
|Status Cake||Web performance and website monitoring||Uptime, Page Speed, Domain, Server & SSL Monitoring||7 Days.||From $20/month|
|UptimeRobot||Web performance and website monitoring||Website, Cronjob, Port, SSL, Keyword, Ping Monitoring||N/A||From $84/year|
|Better Uptime||Web performance and website monitoring||Uptime & API Monitoring, Page Speed Analysis, etc.||N/A||From $24/month|
|Updown.io||Web performance and website monitoring.||Dual-Stack, Fast Checks, Various Integrations, Hosted Status Pages, Rest API & Webhook, SSL Testing||N/A||Based on usage|
|Oh Dear!||Web performance and website monitoring||Smart Alerts, Content Verification, Multi-location Monitoring||10 Days||From $17/month|
How to Choose the Right SSL Certificate Monitoring Tool for You?
There are lots of solutions that you can use to monitor SSL certificates but not all are created equal. Some serve one simple purpose while others have a lot of secondary uses like synthetic monitoring or real user monitoring features. Understanding when your SSL certificate expires or is for whatever reason invalid is only one part of the information you need to have to deliver a complete experience for your users. You want to really understand what your users are experiencing when browsing your websites and make sure that your resources are available and working at all times and that’s something beyond the scope of SSL certificate monitoring. But I digress. Picking one tool over another will be largely based on what monitoring solutions you already have at the moment. While it’s extremely important to have your certificate working 100% of the time, there are other aspects, like I’ve already mentioned above, that are of equal or greater importance. That means that the SSL monitoring feature should complement the existing website monitoring solution. Moreover, it might be wise to consider SSL monitoring solutions that are a part of a wider platform that also offer infrastructure monitoring services, log monitoring features, etc. Using such an all-in-one solution such as our Sematext Cloud will increase your productivity, the speed at which you can troubleshoot and fix issues, share access to key monitoring data with the team and even reduce costs and make vendor management simpler, all things worth taking into account. On the other hand, if you are just looking for a simple SSL certificate a tool like TrackSSL might do it for you. I’d be remiss not to mention the open-source options I’ve spoken about. They are solid options and can be integrated quite easily into your existing environments. But if you want to start from the get-go with a more complex, yet still robust, SSL certificate monitoring tool, you should definitely give Sematext Synthetic a spin. Try the 14-day free trial to convince yourself!