KeyChest Blog

Certificate Monitoring - HTTPS/TLS

Nov 28, 2019 11:36:08 AM / by Dan

As we continuously improve our own certificate management service, we keep an eye on other tools. There is a wide range of services and each of us has different requirements and preferences.


When you use Let's Encrypt certificates, it’s perfectly alright to trust your cron and your favorite Let’s Encrypt client to renew your server’s certificate when it’s due. However, this doesn't really work when the number of servers reaches 10-20 or when your job depends on keeping all certificates up to date. Renewing a certificate involves many moving parts so it really is a good idea to continuously check that all keeps working perfectly.

When the HTTPS really matters to you, the good good practice is to set up an end-to-end monitoring.

The following text includes some multi-purpose cloud services, dedicate HTTPS cloud services, FOSS projects, as well as several commercial systems.

Certificate Cloud Services - Free Usage

KEYCHEST - Let me get our own KeyChest off my chest first. It currently offers a free plan for non-business users with up to 500 endpoints. It uses its own global database of all certificates so it can find all your subdomains automatically (set up and forget service). You will get weekly email reports, an integration API, and a web dashboard. You can also use our automated cert issuance. Paid plans include custom root certificates, additional reports (phishing threat, security report), and internal cert management. - it's an alternative to the default Let's Encrypt email reminders. It does not have any dashboard, you simply give it a domain name and the service will start sending reminder emails. - it's a free service for the first few domains. You need to enter each domain separately. It has a clear dashboard and email reminders.

Standalone Applications - Free

There is a large number of standalone applications (GitHub or other FOSS projects) for monitoring:

Certinel (GitHub, lust update 2017) - It has been created, because Let's Encrypt certificates are only valid for 90 days and there's no automation or monitoring currently available to check. You can do automation with some cronjobs, but this is probably unreliable so it's better you monitor the status of your certificates. Certinel also provides a simple one-page monitoring page were you can add, remove and check the status of your domains.

Checkssl (GitHub, last commit March 2019) - With the good work by "Let’s Encrypt" in providing free SSL certs for users, I wanted a quick way to check all the domains I look after to determine which ones have correct SSL certs, and which ones are in need of updating etc.  This bash file is the first draft of a program to do that. It can either be run against a list of file names, from the directories in your Lets Encrypt live directory or on a single server with the aim of getting all the domain names from the server.

lectl (GitHub, last commit Aug 2018) - Script to check issued certificates by Let's Encrypt on CTL (Certificate Transparency Log) using . It is directly dependent on the service, which is managed by SectiGo.

SSL-cert-check (GitHub, last commit Apr 2019) - a Bourne shell script that can be used to report on expiring SSL certificates. The script was designed to be run from cron and can e-mail warnings or log alerts through nagios.

Certificate Only - Commercial Solutions

GlobalSign Inventory

DigiCert certificate inspector

SSLMate - Cert Spotter

Is It Working


Multi-Purpose with SSL - Commercial Solutions

StatusCake has a simple certificate monitoring feature that sends reminders one week before expiration. You have to add each URL separately so it will work best if you have a few web services that are important for you.

Sucuri - this service provides annual subscription plans with SSL included from the "Pro". However, this only includes one website. If you have more websites, you'd need to ask about the "Enterprise" option. The price reflects a range of tools offered (malware scan, SQL injection, blacklist monitor, etc.)

Dotcom-Monitor is primarily uptime&performance monitoring service. SSL checks include basic info about the certificate (the issuer, name in the cert, if revoked, ...). You need "web services view", which is free for 5 URLs. The maximum number of domains is 100 which goes for $100/month.

ManageEngine SSL cert monitoring

Solarwinds SSL cert monitor

monitis SSL certificate monitoring

Uptrends SSL cert monitoring

site24x7 SSL expiry monitoring

PA Server Monitor


RedKestrel CertAlert (Windows)

Tags: letsencrypt, certificate, https


Written by Dan