Certificates
SSL certificate monitoring that reads the certificate you actually serve.
CertSentry opens a real TLS connection on every check and evaluates what your visitors receive - expiry, hostname, chain, issuer. So when auto-renew fails silently, the warning lands in your inbox days early, not in a customer screenshot.
Free personal workspace forever · No credit card
The coverage
What this watch covers
Warnings on a ladder
Alerts at 30, 14, 7, 3 and 1 days before expiry by default, configurable per monitor. One alert per threshold - never a stream - and the watch resets itself when the renewal lands.
Broken, not just expiring
A certificate that goes self-signed, hostname-mismatched or invalid mid-lifetime is flagged the moment a check sees it.
A TLS grade on every check
Each handshake is graded A to F, so a quiet configuration regression shows up as a grade drop on your dashboard - not in a pentest report six months later.
The certificate inventory
Every certificate across your estate in one table, sorted by expiry, with issuer, grade and SANs. The spreadsheet you were keeping by hand, kept automatically.
Questions
Common questions
My certificates auto-renew. Why monitor them?
Because auto-renew fails silently: a DNS change breaks ACME validation, a deploy pins an old certificate, a forgotten subdomain lives on another stack. CertSentry checks the certificate that is actually being served, so if renewal broke you hear about it a week early.
What exactly does a check look at?
A real TLS handshake against your host: expiry date, hostname match, chain validity and issuer, plus a deterministic TLS grade. Expiry thresholds alert on schedule; a certificate turning invalid, self-signed or mismatched alerts immediately.
How are alerts delivered?
Email on every plan, to every workspace member. Paid plans add Slack, Telegram, Discord and HMAC-signed webhooks. Recoveries notify too.
Do wildcard and multi-domain certificates work?
Yes. The certificate inventory lists every certificate with its SANs, so a wildcard covering twelve subdomains is one row you can actually reason about.
The rest of the watch
Also on watch
- Domain expiryRegistry-sourced expiry dates with the 30-to-1-day warning ladder.
- DNS changesDaily snapshots of six record types, alerting only on confirmed changes.
- UptimeChecks from 7 regions; down only when two regions agree, twice.
- Cron jobs & heartbeatsA ping URL per job; an alert the moment the pings stop.
- Certificate TransparencyDaily CT log sweeps; an alert on any new certificate for your domain.
- DMARC reportsParsed aggregate reports, new-sender alerts and failure-rate warnings.
The next expiry email you get should be from us.
Not from a furious client. Add your first domain in under a minute.
Start the watch - free