Catch expiring SSL certificates 15 days before they expire
Daily checks validate the full chain from leaf to root, surface TLS and cipher details, and warn you 15 days before a certificate expires.
What every daily check inspects
Each daily SSL/TLS check runs the full certificate through the same set of validations, so a problem is caught before the certificate expires or fails.
An expiring certificate is flagged weeks ahead; any other failed check is surfaced on the next daily run, with the same detail in your periodic SSL report.
SSL analysis grades every part of your certificate
Each daily check validates the chain, expiry, TLS protocol, cipher, and signature, and flags anything worth attention, such as a certificate without an OCSP responder endpoint.
OCSP responder is not configured
Certificate chain is valid
TLS protocol version: TLS 1.3
Cipher strength: 256 bits
Certificate expires in 33 days
How WebPixie watches your SSL
WebPixie validates every monitored SSL certificate daily. Each check verifies the full chain from leaf to intermediate to root and performs cryptographic signature verification for RSA and EC/ECDSA. It also resolves your domain to every IP it points to and checks that each one serves the same, working certificate, so a mismatch behind a load balancer is surfaced. To spot unauthorized issuance, the Certificates Manager (included when SSL monitoring is on) lists the certificates seen for your domain in public Certificate Transparency logs.
The check surfaces the TLS version, cipher suite, key strength, Subject Alternative Names, and OCSP and CRL endpoints. When a certificate approaches renewal, an alert fires 15 days before expiration by default, and the warning window is configurable per certificate.
There is nothing to install. WebPixie reads the certificate directly during the TLS handshake from its monitoring servers. As soon as you add your domain, daily SSL checks begin.
Get 15 days of notice before a certificate expires
Daily checks with a configurable warning window
Expired SSL certificates trigger browser security warnings that block customers from your site. WebPixie sends expiry warnings 15 days before expiration by default, configurable per certificate. Daily revalidation also catches the case where auto-renewal fails silently and the certificate moves toward expiry anyway.
Validate the full certificate chain
Leaf to intermediate to root, with cryptographic verification
A certificate with a valid expiry date can still fail validation if intermediates are missing or signatures are mismatched. WebPixie validates the complete chain on every daily check, with cryptographic signature verification for both RSA and EC/ECDSA. SAN extraction covers wildcard and multi-domain certificates. And because the same domain can resolve to several IPs, WebPixie checks the certificate on each one against the first as a reference, so an IP serving a different or non-working certificate is flagged.
See every certificate issued for your domain
Certificate Transparency logs, in the Certificates Manager
Certificate Transparency logs record every certificate issued by every public CA. The Certificates Manager, included when SSL monitoring is on, periodically queries CT logs for each monitored domain and lists the certificates it finds, so you can review which certificates exist for your domain and spot mistaken issuance, a compromised CA, or an outright unauthorized certificate. CT data is shown for review; alerts come from SSL check failures and expiration.
Monitor TLS configuration and cipher strength
Versions, suites, key exchange, key strength
A valid certificate does not guarantee a secure connection. WebPixie reports the TLS version negotiated, the cipher suite in use, the key exchange algorithm, and the key strength for every monitored endpoint. If your server still accepts TLS 1.0 or weak cipher suites, the report surfaces it.
Set up SSL monitoring in 60 seconds
Free plan, no credit card. Daily SSL checks on every plan.
Everything you need to monitor a website. In one workspace.
A quick look at other WebPixie features.
Why teams choose WebPixie for SSL
Set up in 60 seconds
No agent to install and no access to your server needed. Enter a domain and daily SSL checks start running from WebPixie’s monitoring servers.
Your whole site in one workspace
SSL monitoring sits next to uptime, DNS, domain, and link health in one dashboard. Scored technical checks such as domain, DNS, SSL, headers, and indexability roll into your WebPixie Site Score.
Alerts that reach your team
Route expiry and certificate-check alerts to email, Slack, and webhook, so an expiry date never catches the team by surprise.
Frequently Asked Questions
Common questions about SSL monitoring.
Yes, WebPixie tracks SSL certificate status, expiration, trust chain, and TLS configuration for monitored sites. SSL monitoring runs daily checks that validate the full certificate chain from leaf to intermediate to root, verify cryptographic signatures, and inspect TLS version, cipher suite, key exchange, and key strength. WebPixie also surfaces Subject Alternative Names, OCSP and CRL endpoints, and Extended Key Usage OIDs; Certificate Transparency entries are available in the Certificates Manager. Expiration alerts are sent by default 15 days before a certificate expires, giving your team time to renew before visitors see browser warnings. SSL check failures and expiration events can create tracked incidents through incident management, depending on your plan. If you manage several domains or subdomains, use the Certificates Manager to keep certificate health centralized.
Yes, WebPixie checks SSL certificates daily and sends expiration warnings by default 15 days before renewal is due. SSL monitoring reads the certificate chain, verifies trust, checks the expiration date, and surfaces details such as issuer, subject names, TLS version, cipher suite, and OCSP and CRL endpoints. Early warning matters because an expired certificate can trigger browser security warnings, block customer trust, and make checkout, login, or form submission feel unsafe. If a certificate check fails or expiration reaches an alert threshold, WebPixie can notify your team and, on supported plans, create an incident through incident management. Teams with several domains or subdomains can use the Certificates Manager to keep certificate status visible in one place.
WebPixie surfaces certificate validity, chain trust, expiration, TLS configuration, and ownership details for each monitored site. SSL monitoring extracts the full certificate chain from leaf to intermediate to root, then verifies cryptographic signatures for RSA and EC/ECDSA certificates. It also reports TLS version, cipher suite, key exchange, key strength, Subject Alternative Names, OCSP and CRL endpoints, and Extended Key Usage OIDs. Expiration tracking is included, with default warnings 15 days before a certificate expires so teams have time to renew. SSL check failures and expiration events can create incidents through incident management, depending on your plan. Teams managing several domains can use the Certificates Manager to keep certificate status centralized across domains and subdomains.
No. WebPixie monitors SSL certificates; it does not issue or renew them. Renewal stays with your certificate authority, such as Let’s Encrypt, your hosting provider, or another CA. The recommended workflow is automatic renewal at your CA paired with SSL monitoring to confirm the renewal actually happened. Daily revalidation catches the common failure where a Let’s Encrypt auto-renewal breaks silently and the original certificate keeps moving toward expiry. WebPixie sends an expiry warning 15 days before expiry by default, and a failed check can open a tracked incident through incident management on supported plans. Teams managing many certificates can keep status centralized in the Certificates Manager.
Yes. WebPixie monitors both wildcard certificates, which cover *.example.com, and SAN certificates, which cover several specific domains under one certificate. On every daily check, SSL monitoring extracts the Subject Alternative Names and validates that each covered domain matches the certificate’s claims, alongside full chain validation and expiry tracking. This is useful for teams running many subdomains under a single wildcard or multi-brand certificates that list several domains. If you manage several certificates across domains and subdomains, the Certificates Manager keeps their status in one place, and a failed check can open a tracked incident through incident management on supported plans.
Certificate Transparency (CT) is a set of public logs that record every SSL certificate issued by participating certificate authorities, so anyone can audit which certificates exist for a domain. The Certificates Manager, included when SSL monitoring is on, periodically queries CT logs and lists the certificates it finds for each monitored domain, so you can review which certificates have been issued and spot an entry you did not expect, such as a mistaken or unauthorized one. This matters because an attacker who obtains a valid certificate for your domain can impersonate your site convincingly. CT data is shown for review and is not an alert source on its own; WebPixie alerts come from SSL check failures and expiration. The per-site chain and expiry checks live in SSL monitoring.
Ready to watch your certificates?
Free plan, no credit card. Daily checks with 15-day expiry warnings.