As we continuously improve our own certificate management service, we keep an eye on other tools. There is a wide range of services and each of us has different requirements and preferences.
When you use Let's Encrypt certificates, it’s perfectly alright to trust your cron and your favorite Let’s Encrypt client to renew your server’s certificate when it’s due. However, this doesn't really work when the number of servers reaches 10-20 or when your job depends on keeping all certificates up to date. Renewing a certificate involves many moving parts so it really is a good idea to continuously check that all keeps working perfectly.
When the HTTPS really matters to you, the good good practice is to set up an end-to-end monitoring.
The following text includes some multi-purpose cloud services, dedicate HTTPS cloud services, FOSS projects, as well as several commercial systems.
Certificate Cloud Services - Free Usage
KEYCHEST - Let me get our own KeyChest off my chest first. It currently offers a free plan for non-business users with up to 500 endpoints. It uses its own global database of all certificates so it can find all your subdomains automatically (set up and forget service). You will get weekly email reports, an integration API, and a web dashboard. You can also use our automated cert issuance. Paid plans include custom root certificates, additional reports (phishing threat, security report), and internal cert management.
CertificateMonitor.org - it's an alternative to the default Let's Encrypt email reminders. It does not have any dashboard, you simply give it a domain name and the service will start sending reminder emails.
LetsMonitor.org - it's a free service for the first few domains. You need to enter each domain separately. It has a clear dashboard and email reminders.
Standalone Applications - Free
There is a large number of standalone applications (GitHub or other FOSS projects) for monitoring:
Certinel (GitHub, lust update 2017) - It has been created, because Let's Encrypt certificates are only valid for 90 days and there's no automation or monitoring currently available to check. You can do automation with some cronjobs, but this is probably unreliable so it's better you monitor the status of your certificates. Certinel also provides a simple one-page monitoring page were you can add, remove and check the status of your domains.
Checkssl (GitHub, last commit March 2019) - With the good work by "Let’s Encrypt" in providing free SSL certs for users, I wanted a quick way to check all the domains I look after to determine which ones have correct SSL certs, and which ones are in need of updating etc. This bash file is the first draft of a program to do that. It can either be run against a list of file names, from the directories in your Lets Encrypt live directory or on a single server with the aim of getting all the domain names from the server.
lectl (GitHub, last commit Aug 2018) - Script to check issued certificates by Let's Encrypt on CTL (Certificate Transparency Log) using https://crt.sh . It is directly dependent on the https://crt.sh service, which is managed by SectiGo.
SSL-cert-check (GitHub, last commit Apr 2019) - a Bourne shell script that can be used to report on expiring SSL certificates. The script was designed to be run from cron and can e-mail warnings or log alerts through nagios.
Certificate Only - Commercial Solutions
Multi-Purpose with SSL - Commercial Solutions
StatusCake has a simple certificate monitoring feature that sends reminders one week before expiration. You have to add each URL separately so it will work best if you have a few web services that are important for you.
Sucuri - this service provides annual subscription plans with SSL included from the "Pro". However, this only includes one website. If you have more websites, you'd need to ask about the "Enterprise" option. The price reflects a range of tools offered (malware scan, SQL injection, blacklist monitor, etc.)
Dotcom-Monitor is primarily uptime&performance monitoring service. SSL checks include basic info about the certificate (the issuer, name in the cert, if revoked, ...). You need "web services view", which is free for 5 URLs. The maximum number of domains is 100 which goes for $100/month.