ToolBelt

SSL Cert Expiry Tracker

Saved hostnames probed over TLS to read leaf cert subject, issuer, validity window and SAN list.

Open tool

Overview

The SSL cert expiry tracker keeps a watchlist of hostnames and probes each one over TLS to read its leaf certificate — subject, issuer, validity window, and Subject Alternative Names. Run the check on demand and the tracker surfaces certificates that expire soon, certs issued by an unexpected CA, and SANs that no longer cover the right hostnames.

DevOps engineers preventing a 3am page from an expired cert, SRE teams auditing a fleet of public endpoints, and security staff watching for CA changes all need a manual TLS expiry watchlist. Long-tail keywords covered: track SSL certificate expiry dates, check TLS cert SAN coverage, and detect unexpected CA on a domain.

How it works

When you probe a hostname, the tracker opens a TLS connection on the configured port (default 443), completes enough of the handshake to receive the server's certificate chain, and extracts the leaf certificate's metadata. Subject and SAN reveal which hostnames the cert covers. Issuer identifies the CA. NotBefore and NotAfter define the validity window. Public-trust CA/B Forum rules cap certificate lifetimes — currently 398 days — so renewals come around at least annually.

The watchlist is persistent: hostnames are saved, manual probes update the snapshot, and the dashboard highlights any cert within 30 days of expiry. Nothing is automated — checks run when you click them, so a forgotten domain stays uncheckable until you ask.

Examples

  • example.com:443 → subject CN=example.com, issuer Let's Encrypt R3, valid 90 days, SANs include www.example.com.
  • api.example.com:443 → cert issued by DigiCert with a one-year validity, SANs cover only api.example.com.
  • mail.example.com:993 (IMAPS) — yes, the tracker works on any TLS-listening port, not just HTTPS.
  • A check that returns a certificate for a different hostname suggests a misconfigured TLS server (SNI fallback to the default cert).

FAQ

Does the tracker send alerts when a cert is about to expire?

It surfaces expiring certs in the dashboard but does not push notifications. Run the probe whenever you want a fresh status, or build your own scheduled job on top.

Why does the probe show a different cert than my browser does?

The probe sends SNI for the hostname you list. If your server's default cert differs from the cert it serves for a specific SNI value, that is a server configuration to investigate.

Can it probe non-HTTPS TLS endpoints?

Yes — SMTP STARTTLS, IMAPS, LDAPS, anything that completes a TLS handshake. Specify the port and the protocol-specific STARTTLS handshake is handled where supported.

How is the certificate data stored?

The hostname list and the latest probe snapshot are persisted in the app database. Private keys are never transmitted or stored — only the public certificate metadata.

Try SSL Cert Expiry Tracker

An unhandled error has occurred. Reload ×