System: Operational Start Free
SSL CERTIFICATE MONITORING

Never Miss an SSL Expiration Again

Configure automated SSL checks with escalating alerts 30, 14, and 7 days before expiration. Full chain validation included.

Set Up Monitoring Review Alert Rules

Why SSL Monitoring Matters

An expired SSL certificate takes your site offline instantly — browsers block access, trust is broken, and revenue drops. PingKit polls every domain you specify at configurable intervals and flags expiration, chain errors, and mismatched hostnames before they hit production.

Our monitors validate the full certificate chain from the leaf certificate up to the root CA, ensuring no intermediate certificate is missing or misordered. You get a clear pass/fail status per endpoint, not just a generic warning. Teams at ShopDirect, FinServe.io, and CloudRail Logistics use PingKit SSL checks to protect over 1,200 live endpoints across multi-region deployments.

SSL lock icon indicating secure certificate validation on PingKit dashboard

Real-world example: In March 2024, a mid-size SaaS provider running 47 domains across three CDNs missed a wildcard certificate renewal on *.appstore.example.com. PingKit fired a 30-day warning to their Slack channel #ops-alerts, a 14-day escalation to their ticketing system, and a 7-day SMS ping to the on-call engineer. The cert was renewed 12 days early — zero downtime, zero customer impact.

Configure Your SSL Checks

Every SSL monitor needs three settings: the target endpoint, the check interval, and the alert thresholds. PingKit lets you define all three in one panel.

Target Endpoint

Enter a full URL such as https://api.example.com or just a hostname like mail.example.com. You can add up to 200 endpoints per plan. Each endpoint is resolved independently, so you can monitor subdomains, CDN origins, and staging servers side by side.

Check Interval

Choose how often PingKit probes the certificate. Free accounts get 6-hour intervals; Professional plans support 1-hour, 30-minute, or 15-minute polling. For critical payment gateways like checkout.example.com, we recommend 15-minute intervals to catch unexpected revocations.

Chain Validation

Enable full chain verification to ensure the server returns a complete, correctly ordered certificate chain. PingKit checks for missing intermediates, self-signed roots, and hostname mismatches. If the chain is broken, you receive a specific error code — CHAIN_INCOMPLETE, HOSTNAME_MISMATCH, or ROOT_UNTRUSTED — so your team knows exactly what to fix.

Escalating Alert Schedule

PingKit sends tiered notifications as expiration approaches, giving your team time to act without alert fatigue. Configure each tier independently or accept the default schedule.

TIER 1 — 30 DAYS

Early Warning

At 30 days remaining, PingKit sends a notification to your primary channel — email, Slack, or Teams. The message includes the domain name, exact expiration timestamp in UTC, issuer (e.g., Let's Encrypt Authority X3), and a direct link to the monitor details page. This tier is designed for planning: open a renewal ticket, assign an owner, and schedule the task.

TIER 2 — 14 DAYS

Escalation Notice

At 14 days remaining, a second alert fires to your escalation channel. If the first alert was email, this one goes to Slack or PagerDuty. The message is more urgent and includes a countdown: 14d 0h 0m remaining. Teams using ACME auto-renewal should see this only if the automated process failed — making it a clear signal to investigate.

TIER 3 — 7 DAYS

Critical Alert

At 7 days remaining, PingKit triggers a high-priority alert via SMS, phone call, or both — depending on your on-call configuration. This is the final warning before the certificate becomes untrusted. The alert includes the exact expiry time, the responsible team tag, and a one-click link to initiate emergency renewal. At this stage, daily digest reports also highlight the expiring cert at the top.

Post-expiration monitoring: If a certificate expires and is not renewed, PingKit continues to flag it every check interval until the issue is resolved. You will receive a CERT_EXPIRED status on your dashboard and in your next digest. The monitor does not stop — it keeps checking so you know when the fix takes effect.

Create SSL Monitor View Alert Configuration
SSL CERTIFICATE MONITORING

Never Miss an SSL Expiration Again

Configure automated SSL checks with escalating alerts 30, 14, and 7 days before expiration. Full chain validation included.

Set Up Monitoring Review Alert Rules

Why SSL Monitoring Matters

An expired SSL certificate takes your site offline instantly — browsers block access, trust is broken, and revenue drops. PingKit polls every domain you specify at configurable intervals and flags expiration, chain errors, and mismatched hostnames before they hit production.

Our monitors validate the full certificate chain from the leaf certificate up to the root CA, ensuring no intermediate certificate is missing or misordered. You get a clear pass/fail status per endpoint, not just a generic warning. Teams at ShopDirect, FinServe.io, and CloudRail Logistics use PingKit SSL checks to protect over 1,200 live endpoints across multi-region deployments.

SSL lock icon indicating secure certificate validation on PingKit dashboard

Real-world example: In March 2024, a mid-size SaaS provider running 47 domains across three CDNs missed a wildcard certificate renewal on *.appstore.example.com. PingKit fired a 30-day warning to their Slack channel #ops-alerts, a 14-day escalation to their ticketing system, and a 7-day SMS ping to the on-call engineer. The cert was renewed 12 days early — zero downtime, zero customer impact.

Configure Your SSL Checks

Every SSL monitor needs three settings: the target endpoint, the check interval, and the alert thresholds. PingKit lets you define all three in one panel.

Target Endpoint

Enter a full URL such as https://api.example.com or just a hostname like mail.example.com. You can add up to 200 endpoints per plan. Each endpoint is resolved independently, so you can monitor subdomains, CDN origins, and staging servers side by side.

Check Interval

Choose how often PingKit probes the certificate. Free accounts get 6-hour intervals; Professional plans support 1-hour, 30-minute, or 15-minute polling. For critical payment gateways like checkout.example.com, we recommend 15-minute intervals to catch unexpected revocations.

Chain Validation

Enable full chain verification to ensure the server returns a complete, correctly ordered certificate chain. PingKit checks for missing intermediates, self-signed roots, and hostname mismatches. If the chain is broken, you receive a specific error code — CHAIN_INCOMPLETE, HOSTNAME_MISMATCH, or ROOT_UNTRUSTED — so your team knows exactly what to fix.

Escalating Alert Schedule

PingKit sends tiered notifications as expiration approaches, giving your team time to act without alert fatigue. Configure each tier independently or accept the default schedule.

TIER 1 — 30 DAYS

Early Warning

At 30 days remaining, PingKit sends a notification to your primary channel — email, Slack, or Teams. The message includes the domain name, exact expiration timestamp in UTC, issuer (e.g., Let's Encrypt Authority X3), and a direct link to the monitor details page. This tier is designed for planning: open a renewal ticket, assign an owner, and schedule the task.

TIER 2 — 14 DAYS

Escalation Notice

At 14 days remaining, a second alert fires to your escalation channel. If the first alert was email, this one goes to Slack or PagerDuty. The message is more urgent and includes a countdown: 14d 0h 0m remaining. Teams using ACME auto-renewal should see this only if the automated process failed — making it a clear signal to investigate.

TIER 3 — 7 DAYS

Critical Alert

At 7 days remaining, PingKit triggers a high-priority alert via SMS, phone call, or both — depending on your on-call configuration. This is the final warning before the certificate becomes untrusted. The alert includes the exact expiry time, the responsible team tag, and a one-click link to initiate emergency renewal. At this stage, daily digest reports also highlight the expiring cert at the top.

Post-expiration monitoring: If a certificate expires and is not renewed, PingKit continues to flag it every check interval until the issue is resolved. You will receive a CERT_EXPIRED status on your dashboard and in your next digest. The monitor does not stop — it keeps checking so you know when the fix takes effect.

Create SSL Monitor View Alert Configuration