Sign in Get started

Concepts · Certificate hygiene

Certificate hygiene

Every HTTPS monitor you run now also watches its TLS certificate — expiry, chain and hostname validity, weak keys, and outdated TLS — and flags problems before they cause an outage. There's nothing new to set up: it rides on the check you already have.

What it is

Any http_status or http_keyword monitor pointed at an https:// URL already completes a TLS handshake to reach your endpoint. Certificate hygiene reads the certificate from that handshake and turns it into a small set of health signals — so the expired or misconfigured cert you used to find out about from an angry customer, you now see coming. It is on by default for HTTPS monitors and requires no extra configuration.

The four signals

  1. Expiry

    A heads-up a configurable number of days before the certificate lapses. The window reuses your monitor's ssl_warn_days setting (default 14 days).

  2. Chain & hostname validity

    Catches a certificate whose chain is incomplete or not anchored to a trusted root, or that is served for the wrong hostname — the kinds of misconfiguration that make browsers throw a security warning.

  3. Weak keys

    Flags RSA keys below 2048 bits and elliptic-curve (EC) keys below 256 bits — keys that pass today but fail a modern security review.

  4. Outdated TLS

    Flags any endpoint that negotiates a version below TLS 1.2. Older TLS versions are deprecated and increasingly refused by clients.

How it behaves

Certificate hygiene runs on a low cadence — about every 12 hours — rather than on every probe, so it adds effectively no load and never slows your uptime checks.

It is a non-paging heads-up. A finding opens a medium-severity notice; it never flips your monitor's up/down status and never pages you. Nightlamp keeps a single open heads-up per monitor, so you won't get an alert storm from one lingering certificate issue.

Where to see it, and how to turn it off

Open any HTTPS monitor's detail page and look for the Certificate hygiene panel — it shows the latest reading for each signal. The monitor list shows a small flag when a certificate needs attention.

Prefer not to run it on a particular monitor? Switch off the certificate hygiene toggle in that monitor's settings. It's on by default for HTTPS monitors and has no effect on non-HTTPS checks.

What it does not do yet

Certificate hygiene reads only public certificate material — never a private key. It does not currently check OCSP/CRL revocation, Certificate Transparency log presence, or enumerate every SAN on the certificate. Those are on the roadmap, not silent gaps.

Want to check a host right now, without signing in? Use the free TLS certificate checker — paste a hostname and get its expiry, chain trust, key strength, and TLS version instantly.