SSL and TLS Certificate Expiry Monitoring for IT Teams

An expired SSL certificate can take down your website, break your VPN, kill email delivery, and trigger browser security warnings that erode customer trust. Despite this, certificate expiry remains one of the most common causes of preventable IT outages because most teams track renewals in spreadsheets or rely on manual calendar reminders.

Where Certificates Hide

The first challenge is knowing what certificates you have and where they are. Most organizations have certificates in more places than they realize:

• Web servers - Apache, Nginx, IIS SSL bindings
• Load balancers - AWS ALB, GCP HTTPS LB, Azure Application Gateway
• VPN appliances - OpenVPN, WireGuard, Cisco AnyConnect certificates
• Email servers - SMTP TLS, Exchange server certificates
• Internal CAs - Active Directory Certificate Services, intermediate CAs
• API endpoints - microservices communicating over mTLS
• Code signing - application and driver signing certificates
• Workstation certificates - 802.1X network authentication

Monitoring with OpenSSL

For a quick check of any public-facing certificate:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

To build a simple monitoring script that checks multiple domains:

#!/bin/bash
DOMAINS="example.com api.example.com mail.example.com vpn.example.com"
WARN_DAYS=30

for domain in $DOMAINS; do
    expiry=$(echo | openssl s_client -servername $domain -connect $domain:443 2>/dev/null \
        | openssl x509 -noout -enddate | cut -d= -f2)
    expiry_epoch=$(date -d "$expiry" +%s)
    now_epoch=$(date +%s)
    days_left=$(( (expiry_epoch - now_epoch) / 86400 ))

    if [ $days_left -lt $WARN_DAYS ]; then
        echo "WARNING: $domain expires in $days_left days ($expiry)"
    else
        echo "OK: $domain - $days_left days remaining"
    fi
done

PowerShell for Windows Environments

Check certificates on Windows machines and IIS bindings:

# Check local machine certificate store
Get-ChildItem Cert:\LocalMachine\My | Where-Object {
    $_.NotAfter -lt (Get-Date).AddDays(30)
} | Select-Object Subject, NotAfter, Thumbprint

# Check IIS HTTPS bindings
Get-WebBinding -Protocol https | ForEach-Object {
    $cert = Get-ChildItem "Cert:\LocalMachine\My\$($_.certificateHash)"
    [PSCustomObject]@{
        Site = $_.ItemXPath.Split("'")[1]
        Expiry = $cert.NotAfter
        DaysLeft = ($cert.NotAfter - (Get-Date)).Days
        Subject = $cert.Subject
    }
}

Automated Renewal with ACME

For certificates from Let's Encrypt or other ACME-compatible CAs, automated renewal eliminates the monitoring problem entirely:

• Certbot - the standard ACME client for Linux servers
• win-acme - ACME client for Windows Server and IIS
• cert-manager - Kubernetes-native certificate management
• Caddy - web server with built-in automatic HTTPS

Set up a cron job or scheduled task to run the renewal daily. ACME clients only renew when the certificate is within 30 days of expiry, so daily runs are safe and ensure you never miss a renewal window.

# Certbot auto-renewal (runs daily via cron)
0 3 * * * certbot renew --quiet --post-hook "systemctl reload nginx"

Internal Certificate Monitoring

Internal certificates from Active Directory Certificate Services are harder to track because they do not appear in public certificate transparency logs. Monitor them by querying the CA directly:

# Query AD CS for certificates expiring within 30 days
certutil -view -restrict "NotAfter<=03/21/2026,Disposition=20" -out "RequesterName,NotAfter,CertificateTemplate"

Building a Certificate Inventory

A certificate inventory should track at minimum:

1. Domain or common name - what the certificate protects
2. Issuing CA - who issued it (Let's Encrypt, DigiCert, internal CA)
3. Expiry date - when it needs renewal
4. Location - which server, load balancer, or appliance holds it
5. Renewal method - automated (ACME) or manual
6. Owner - who is responsible for renewal

Store this in your CMDB, a dedicated tool like Keychest, or even a simple spreadsheet that gets reviewed weekly. The key is having a single source of truth that someone actively monitors.

When AI Takes Over Certificate Management

AI-powered IT tools can automate the entire certificate lifecycle: discover all certificates across your infrastructure, monitor expiry dates, trigger renewal workflows, deploy updated certificates, and verify the deployment. This removes human error from a process where a single oversight causes an outage.