Certificate health

Our certificate monitoring is quite complete. We cover the following items.

Check frequency

These checks run every 5 minutes on each of your sites. We want to notify you as soon as possible if there's an issue, which is why we believe we should monitor as often as possible.

Certificate expirations

Naturally, one of the first things we verify is the certificate expiration date. If the certificate is due to expire within 14 days, you will be notified daily. When you're using a Let's Encrypt certificate we'll start notifing you daily if it will expire within 7 days.

We don't just monitor your domain's certificate: we verify all your intermediate certificates, too. If there's a problem with any of them, you'll know.

Certificate change reporting

If we detect a changed certificate on the site we are monitoring, you will be reported with a clean diff of the before & after state. This way, you can verify that all domains that were previously covered by the certificate are still present.

Additionally, you'll be presented with every changed field in the certificate.

Certificate chain validation

A chain is only as strong as its weakest link, SSL Certificates are the prime example. SSL/TLS certificates are made up of "links" of certificates, or chains. If you order a certificate at Globalsign or GoDaddy, they will provide you a certificate that was signed by their provider.

This path can be 2 to 5 links deep, where each provider receives their certificates from another trusted party. At the very top are root certificates. These are certificates that come pre-installed on your server, laptop or desktop. These are the certificates your computer will trust. Because there's a chain of certificates linking your (domain) certificates to the pre-trusted root, a computer will trust your specific certificate.

For instance, on this ohdear.app website, there's a chain of 3 certificates: our domain certificate, linking to the Let's Encrypt X3 intermediate, which links back to the DST Root CA X3 certificate.

Oh Dear! certificate chain

Because not all intermediates are trusted automatically, it's important your server configuration also contains the intermediate certificates that will be sent back to the browser. On older devices, you might otherwise get SSL/TLS errors about untrusted certificates.

Oh Dear doesn't just monitor your domain's certificate but will check every intermediate certificate too, up to the root certificate, to verify the chain of trust.

We look for SHA-1 certificates, revoked intermediates, distrusted root certificates, ... each of those problems can cause your site to be unavailable. And none of those changes are in your control, these decisions get made by the Certificate Authorities (CAs) or the browsers themselves, coordinated via the CAB Forum.

Miscellaneous checks

Additionally, we will also notify you of;

  • self-signed certificates
  • certificates that don't cover the domain name you're monitoring
  • certificates that aren't active yet (with a Not Valid Before date in the future)