Sign in Get started
← Blog

Stop finding out about expired certificates from your users

By Nightlamp

monitoringtlscertificatesreliabilityapp care

An expired TLS certificate is one of the most preventable outages there is — the expiry date is known months in advance — yet it still takes sites down, because nobody set up a separate certificate monitor. And most uptime tools only tell you once the handshake already fails: a 2 a.m. page, after your customers have already hit the error page.

Nightlamp now closes that gap automatically. Any HTTPS monitor you already run also inspects the certificate it is already shaking hands with, and flags problems before they become an incident.

How do I get alerted before my TLS certificate expires?

If you run an HTTPS uptime monitor in Nightlamp, you already are. Every http_status and http_keyword monitor pointed at an https:// URL now also reads the certificate it connects to and gives you a heads-up well before it lapses — on a warning window you control (14 days by default). There is no separate certificate monitor to create and nothing new to configure.

What does certificate hygiene actually check?

Four things, on every HTTPS monitor:

  • Expiry — a heads-up a configurable number of days before the certificate lapses.
  • Chain & hostname validity — catches a misconfigured, incomplete, or mismatched certificate that browsers will reject.
  • Weak keys — flags RSA keys below 2048 bits or EC keys below 256 bits.
  • Outdated TLS — flags any endpoint negotiating below TLS 1.2.

Will it page me at 2 a.m.?

No. Certificate hygiene is deliberately a non-paging heads-up, not a critical alert. It never flips your monitor’s up/down status and never wakes you. You get a clear, medium-severity notice with plenty of runway to act — the opposite of the after-the-fact expiry page. And because Nightlamp keeps a single open heads-up per monitor, you won’t get an alert storm.

How is this different from normal uptime monitoring?

An uptime check tells you the page responded. It says nothing about why it will stop responding next month. Certificate hygiene rides the TLS handshake your monitor already performs, on a low cadence, so the certificate problem you used to find out about from an angry customer, you now see coming — for free, with no extra setup and no added probe load.

How do I turn it on (or off)?

It’s on by default for HTTPS monitors. To see it, open any HTTPS monitor’s detail page and look for the Certificate hygiene panel; the monitor list shows a small flag when something needs attention. If you’d rather not have it on a particular monitor, switch off the certificate-hygiene toggle in that monitor’s settings.

Try it right now, without signing in

Want to check a host this minute? Use the free TLS certificate checker — paste a hostname and get its expiry, chain trust, key strength, and TLS version instantly. No account, no email wall. When you’re ready to have it watched continuously, that’s exactly what Nightlamp does.