An SSL certificate that expires in production is rarely a surprise to nobody. Someone, somewhere, got an email reminder a month ago - and missed it. The trick is not setting up alerts. It is setting up alerts that actually get noticed. Here is how to do it.
First, see what you are working with
Before you set up alerts, check your current certificate. Type your domain below and our free scanner shows its expiry date, issuer, and whether it is trusted. Results open in a new tab.
Why default alerts fail
Most teams rely on the email reminder their certificate authority sends. That email goes to one person, often someone who left the company. By the time anyone notices, the certificate has been down for half a day.
Good alerting works like a smoke detector at home: loud, in a place people are, and not connected to one person’s inbox.
The three channels that work
1. Email - to a team alias, not a person
Email still works, but the recipient matters. Send to a team alias (alerts@yourcompany.com, ops@…) that multiple people read, not to a single engineer.
Why: people leave, change roles, go on vacation. The alias stays.
2. Slack - for ambient awareness
A dedicated #alerts-tls channel keeps certificate warnings visible during normal work hours. Engineers see them, ack them, and act before anything breaks.
Why: Slack is where teams already live. Alerts in Slack get acted on within minutes, not hours.
3. Webhooks - for on-call paging
Wire the webhook into your incident tool - PagerDuty, Opsgenie, your own internal queue. Use this for the “3 days left” and “1 day left” thresholds, when the situation deserves a real page.
Why: when the certificate is hours from expiry, you do not want it sitting in someone’s inbox. You want it ringing a phone.
Layer thresholds so each alert means something
Sending the same alert five times is noise. People silence noise. Use thresholds that match urgency:
- 30 days before expiry → email + Slack. Plenty of time to plan a renewal. Ambient.
- 14 days → Slack. Reminder to actually do the work.
- 7 days → Slack + on-call ping. Renewal should be done already. If not, do it today.
- 3 days → on-call page. Something is wrong if you got here.
- 1 day → on-call page, repeat. Emergency.
By spacing alerts like this, each one carries a clear meaning. The 30-day email is calm. The 1-day page is loud. People learn what to do at each step.
What about alerts beyond expiry?
Expiry is the most common failure mode but not the only one. Good monitoring also alerts you to:
- Certificate replaced unexpectedly (could be a misissue or an attack).
- Hostname coverage shrunk (new subdomain forgotten).
- Chain broken after a server upgrade.
- TLS protocol downgraded by a load balancer change.
These changes do not have an expiry date. They happen, silently, after a deploy. Set up monitoring that watches for any change, not just the calendar.
Quick start with TLS Radar
You can wire up email aliases, Slack, webhooks, and five threshold tiers by hand. Or you can skip the part where you find out it was misconfigured the night your certificate expires, your checkout page goes dark, and the support tickets start rolling in. Every alert you do not set up today is a 3am page you will wish you had. The good news: this takes minutes, not an evening.
TLS Radar handles all three channels and the thresholds above out of the box. Add a domain, choose your channels, and you are done.
Set it up once, never get caught again
TLS Radar watches every certificate across your domains and alerts your whole team, on every channel, weeks before anything expires or breaks. Stop relying on a reminder one person will miss.
Related reading
Get the next post in your inbox
TLS monitoring tips and product updates. No spam, unsubscribe anytime.
Keep reading
How to Prevent SSL Certificate Expiration Downtime
DigiCert CertCentral Alternatives: An Honest Comparison
The True Cost of a TLS Outage (And Why Calendars Won't Save You)
Related guides
-
What Is SSL/TLS Certificate Monitoring? A Complete Guide
A plain-English definition of SSL/TLS certificate monitoring, what it catches beyond expiry, and why shorter certificate lifespans are making it essential.
-
HTTPS Not Working? A Plain-English Troubleshooting Guide
Why HTTPS suddenly stops working and how to diagnose it in under 10 minutes.