Reading SSL certificate expiry before it reads you
Expired TLS certificates cause sudden, total outages. Here is how certificate expiry monitoring works and why it deserves its own alert.
An expired TLS certificate is one of the few failures that takes a site from fully working to fully broken in a single second, with no warning in your application logs.
Why expiry slips through
Certificates are often issued once and forgotten. The team that set them up may have moved on, the renewal reminder may go to an unmonitored inbox, and automated renewal can fail silently.
Monitoring the expiry date
A certificate check reads the notAfter date from the served certificate and
counts down. The useful signal is not "expired" — by then it is too late — but
"expires in N days", giving you a window to act.
A sensible threshold
Alerting at 14 days before expiry gives most teams enough runway to renew without the warning becoming background noise.