When do SSL expiry alerts fire, and can I change the timing?
By default, CertSentry warns you at 30, 14, 7, 3 and 1 days before a certificate expires. Each threshold fires once, so you get a timely sequence of nudges without being buried in repeats.
Tune it per monitor
The lead days are fully configurable on each monitor:
- Watching something business-critical? Add an earlier warning (say 60 days) so a manual renewal has plenty of runway.
- Running a low-stakes internal cert that renews automatically? Trim the list to just a couple of late reminders.
Set whatever cadence matches how quickly you can actually act.
Validity, not just expiry
A certificate can break long before its expiry date. CertSentry raises an alert as soon as the served certificate becomes invalid — a hostname mismatch, an untrusted or incomplete chain, or a cert that was swapped for a broken one. These fire immediately on detection, not on a countdown.
The daily TLS grade
Every day, the SSL check also computes a TLS configuration grade for the host. It reflects how the endpoint is configured — protocol versions and overall hygiene — so you can spot a weak or drifting setup before it becomes a security finding or a compatibility problem for clients.
Recovery
When a previously failing certificate becomes valid again, you get a recovery notice — so a fixed problem doesn't linger as an open question.