Product Use Cases Pricing Guides Free tools About Book demo Start free trial
Certificate Expiry Monitoring

Your customers discover certificate expiry before your team does — unless you monitor

An expired SSL certificate is not a technical glitch — it is a visible outage. Browsers block. API integrations fail. Support calls flood in. CertControl alerts the right people well in advance — not a shared inbox nobody watches.

14-day free trial  ·  No credit card required  ·  EU hosted

What certificate expiry actually costs

An expired certificate doesn't just take down the website

Most people think of the browser warning. But certificate expiry hits broadly: API integrations fail silently, internal systems using mutual TLS stop communicating, and mail servers get rejected. The fallout compounds faster than you can complete a renewal under pressure.

What happens without monitoring

  • Browsers show "Your connection is not private" — users leave
  • API calls return SSL errors — integrations stop without warning
  • Support calls flood in — customers report the problem before anyone internally knows
  • Outages are discovered by customers, not the IT team
  • Emergency renewal under pressure — mistakes and stress compound the problem

What happens with CertControl

  • Alerts at 60, 30, 14, and 7 days before certificate expiry
  • Named recipients — not an inactive shared inbox
  • Unified expiry overview across all certificates, sorted by deadline
  • ACME integration for automatic certificate requests via Let's Encrypt
  • Audit log documenting proactive handling for NIS2 audits
47-day certificates in 2029

Manual expiry management is running out of time

The CA/Browser Forum has decided to significantly reduce TLS certificate lifetimes heading into 2029. For an organisation with 1,000 certificates, a 47-day maximum means up to 8,000 renewals per year. That is not a number you can manage in a spreadsheet.

Mar 2026
200

Days maximum. Automation is already an advantage today — in a year, it will be a hard requirement.

Mar 2027
100

Days maximum. Manual renewal frequency doubles — the same effort for half the certificate lifetime.

Mar 2029
47

Days maximum. ACME integration is the only scalable solution at that point.

Alert configuration

Alerts that reach the right person — with enough context to act immediately

An alert is only useful if it reaches the person who can act on it, with enough context that they know exactly what to do. CertControl does not send generic notifications to shared inboxes.

Thresholds you define

Set alerts at 60, 30, 14, 7, and 1 day before certificate expiry. Critical systems can have additional thresholds. Configure per endpoint group — not just globally.

Named recipients

Alerts go to specific email addresses — not a generic inbox that nobody monitors. Set up primary and backup recipients per certificate or group.

Webhooks to your channels

Send alerts to Slack, Microsoft Teams, PagerDuty, or any system that accepts HTTP POST. Certificate expiry surfaces in the channel your team already uses for operational alerts.

ACME automation — client and server

As an ACME client, CertControl requests certificates from Let's Encrypt or another supported CA on your behalf. The Scale plan adds an ACME Server (RFC 8555): your internal servers — Linux and Windows — run certbot, acme.sh, or Posh-ACME pointing to CertControl, which issues or forwards orders to a supported upstream CA. With a DNS plugin configured, the entire renewal cycle is zero-touch — challenge, issuance, and installation handled automatically. The Scale plan also includes ARI (RFC 9773): CertControl signals the optimal renewal window to each ACME client, so fleet renewals are coordinated automatically — and mass-revocation reaches every server in one action.

Expiry overview

A unified dashboard shows all certificates sorted by expiry date. Red, amber, green — you see at a glance what needs action today and what is coming up.

Audit log and documentation

All alerts, acknowledgements, and renewals are logged automatically. The documentation is ready for NIS2 audits or internal review — you do not need to piece it together after the fact.

Frequently asked questions

What happens when a TLS certificate expires?

Browsers display a security warning and block access — users see the error, not the IT team. API calls fail with SSL errors and integrations stop without warning. Services that use the certificate for authentication stop working. The result is an outage discovered by customers, an emergency renewal under pressure, and potential NIS2 compliance problems.

When should I send the first certificate expiry alert?

For standard certificates: 30 and 14 days. For critical production systems: add 60 days as an early warning. Think about your actual renewal process — if it requires internal approval, an alert 7 days before expiry is too late. With the upcoming 47-day certificates, the first alert should go out at 21 days.

Does CertControl support ACME automation?

Yes, in two modes. As an ACME client (Business plan), CertControl requests certificates from Let's Encrypt automatically — HTTP-01 and DNS-01 handled, private keys encrypted with AES-256-GCM. As an ACME Server (RFC 8555, Scale plan), your internal Linux and Windows servers run certbot, acme.sh, or Posh-ACME pointing to CertControl — zero-touch renewal including automatic certificate installation on the server.

Does CertControl monitor internal certificates?

Yes. The CertControl agent scans internal networks behind a firewall and includes internal certificates in the combined expiry monitoring and alerting. AD, mail, intranets, and CI/CD systems are monitored on exactly the same terms as internet-facing endpoints.

Related resources

Guides for preventing certificate expiry and outages

Guide

How to Avoid Expired Certificates: A Practical Guide

Certificate expiry outages are preventable.

Read the guide
Guide

Certificate Expiry Alerts: How to Set Up Notifications That Actually Work

Calendar reminders fail.

Read the guide
Guide

The Certificate That Took Down a Login Flow: A Postmortem Template

A TLS certificate expired on an authentication service at 03:14 on a Tuesday.

Read the guide
Guide

Why Your CDN Certificate Expiring Is Worse Than Your Server Certificate

An expired TLS certificate on a CDN or load balancer takes down every service behind it simultaneously.

Read the guide
Guide

How to Manage Certificates During a Cloud Migration

Cloud migrations introduce new certificate authorities, change endpoints, and create inventory gaps — while production certificates keep running.

Read the guide