SSL/TLS Certificates Monitoring
SSL/TLS Certificates Monitoring
Track the health, validity, and security posture of SSL/TLS certificates across all internet-facing services. Cloudmon checks certificate expiry, trust chain integrity, revocation status, cipher strength, and known vulnerabilities, with alerts before certificates expire or security issues are detected.
Overview
SSL/TLS Certificate monitoring in Cloudmon actively checks your certificates at configured intervals and gives you a detailed view of their security posture, not just whether they are expired. An expired certificate causes immediate browser errors and breaks HTTPS connections for all users. But weak ciphers, untrusted chains, revoked certificates, and known vulnerabilities like POODLE or BEAST can all create security risks without causing obvious errors, making active monitoring essential for compliance-conscious environments.
Cloudmon grades each certificate from A+ to F based on its overall security configuration, giving your team an at-a-glance security posture view across all monitored services. Certificates approaching expiry are highlighted in the dashboard by expiry band, so you can prioritise renewals before service disruptions occur.
Configuration
Navigate to Synthetic → Web →SSL/TLS Certificates and click the Add button. Fill in the fields as follows:
| Field | Description |
| Probe | The probe or agent that will perform the certificate check from a specific network location. |
| Name | A display name for this certificate monitor, such as "Production Login Portal" or "Payment Gateway API". |
| Host and Port | The HTTPS hostname of the target server and the port to connect to. The default port is 443. For services running on non-standard ports such as 8443, enter the custom port. |
| Timeout | Maximum wait time in seconds before the check is marked as failed. Default is 10 seconds. |
| Interval | How often Cloudmon checks the certificate. The default is 1 Day, which is appropriate for expiry and validity tracking. |
| Alarm Rule | Select an alarm rule to trigger notifications when certificate issues are detected, such as expiry within a defined number of days or a grade falling below a threshold. |
| Depends On | Link to an upstream dependency monitor. If the dependency is down, alerts from this certificate monitor are suppressed to prevent cascading alarm noise. |
| Groups and Tags | Assign to logical groups and add custom labels for organized filtering and management across large certificate estates. |
Click Save. Cloudmon performs the first certificate check immediately and displays results in the SSL/TLS Certificates dashboard.
What Cloudmon Monitors
The dashboard groups certificates into expiry bands covering certificates expiring after 90 days, within 30 to 90 days, within 7 to 30 days, within 7 days, and expired. A security grade chart breaks down all monitored certificates by grade from A+ to F, giving an immediate view of your overall certificate security posture.
Each certificate's detail page provides a full breakdown. The Overview shows the grade, trust status, revocation status, whether the certificate is on a blocklist, and the number of days remaining until expiry. The certificate chain is visualised showing each certificate from the server certificate through intermediates to the root CA, with expiry dates for each.
The Vulnerability tab runs a comprehensive security assessment across three categories. Protocol and Cipher checks cover weak protocol support, weak cipher suites, RC4 usage, CBC mode weaknesses, AEAD cipher support, forward secrecy, and SWEET32. Vulnerability checks cover BEAST, POODLE, ROBOT, and FREAK attacks. Certificate Issues checks cover self-signed certificates, common name mismatches, trust chain issues, revocation, blocklist status, key length, and signature algorithm. Each check shows a pass or warning result with a summary count of findings by severity.
Alarms
Each alarm is built around a simple IF/THEN model, where you select a metric, set a threshold, and define what happens when it is breached. Learn more.
Troubleshooting
| Issue | What to check |
| Monitor shows Down immediately after being added | Confirm the probe can reach the target host on port 443 (or the configured custom port). Check that the hostname resolves correctly from the probe and that no firewall is blocking outbound HTTPS from the probe to that host. Test by opening the URL in a browser from the probe's network location. |
| Certificate grade is lower than expected | Open the Vulnerability tab in the certificate monitor detail page to identify the specific checks that are failing. Common causes of a low grade include weak cipher suites still enabled on the web server, missing forward secrecy support, or support for deprecated protocols like TLS 1.0 or TLS 1.1 that have not been disabled. |
| Certificate chain shows as untrusted | Check whether the intermediate certificate is correctly installed on the web server. A server that sends only the leaf certificate without the full chain will cause trust failures for clients that do not have the intermediate cached. Verify the chain using the certificate chain panel in the monitor overview. |
| Self-signed certificate monitor keeps alerting | Self-signed certificates are flagged in the Certificate Issues section of the Vulnerability tab and will always show a warning for trust status. If this is an internal service where a self-signed certificate is intentional, ensure the alarm rule threshold is set appropriately so only expiry and revocation checks generate alerts rather than the trust status check. |
| Expiry alert not firing even though certificate is near expiry | Verify that an alarm rule is assigned to the certificate monitor and that the trigger is configured with a validity threshold (days remaining) rather than a binary expiry check. The alarm rule must be set to fire when validity days fall below the desired warning period, for example 30 days. |
Related Articles
Synthetic Monitoring
Synthetic Monitoring Synthetic Monitoring Proactively monitor the availability, performance, and security of your infrastructure and internet-facing services from configurable probe locations, before your users notice a problem. Synthetic Monitoring ...Websites Monitoring
Synthetic Monitoring Websites Monitoring Track availability, response time, and connection performance for any URL. Cloudmon polls your websites at regular intervals, checks HTTP status codes, and measures the full connection breakdown from DNS ...What does SSL connection duration indicate?
SSL connection duration indicates the time it takes to establish a secure connection between a client and a server using the SSL/TLS protocol. A shorter duration suggests faster and more efficient secure connections, improving website or application ...How is the initial connection duration calculated?
The total duration of TCP and TLS is referred to as the "Initial connection." TCP Handshake: This measures the time it takes to complete the TCP handshake, which includes establishing the connection between the client and server. TLS/SSL Negotiation ...Configuring Alarm Rules for Synthetic Monitoring
Synthetic Monitoring Configuring Alarm Rules for Synthetic Monitoring Set up threshold-based alarms across host availability, port availability, SSL/TLS certificates, and website monitors so Cloudmon notifies your team or triggers automated actions ...