Skip to main content

Best Practices for SSL Certificate Expiration Monitoring

· 4 min read

First of all, I would like to wish all the students who see it a happy mid-autumn festival, good health, and try to get rich on the basis of good health.

Into the main topic, most of the sites now support HTTPS by default, we apply for the certificate is generally 3 months or 1 year, it is easy with the passage of time SSL certificate expired we did not find the first time, or in the expiration of the certificate did not update the certificate in a timely manner.

Today's article describes how to use hertzbeat monitoring system to detect the validity of our website's SSL certificate, when the certificate expires or a few days before the expiration of the certificate, send us an alert message.

What is HertzBeat?

HertzBeat is a real-time monitoring tool with powerful customizable monitoring capabilities without the need for an agent. Website monitoring, PING connectivity, port availability, database, OS, middleware, API monitoring, threshold alerts, alert notifications (email wechat pinning flybook).

Official website: |


Install HertzBeat

  1. If you don't want to install it, you can directly use the cloud service TanCloud

  2. The docker environment can be installed with a single command

docker run -d -p 1157:1157 --name hertzbeat apache/hertzbeat

  1. Installation success browser visit localhost:1157 to start, the default account password `admin/hertzbeat

Monitoring SSL Certificates

  1. Click Add SSL Certificate Monitor

System Page -> Monitor Menu -> SSL Certificates -> New SSL Certificate

  1. Configure monitoring website

Here is an example to monitor Baidu website, configure the host domain name, name, collection interval, etc. > Click OK.
Click OK. Note that ⚠️ will test the connectivity of the website before adding it by default, and it will add it only if the connection is successful, of course, you can also gray out the Whether to test button.

  1. Viewing Test Indicator Data

You can view the task status in the monitor list, and go into the monitor details to view the metrics data graphs etc.

  1. Set the threshold (triggered when the certificate expires)

System Page -> Alarms -> Alarm Thresholds -> Add Thresholds

Configure thresholds, select SSL certificate indicator object, configure alert expression - triggered when indicator expired is true, i.e. equals(expired, "true") , set alert level notification template message etc.

Associate thresholds with monitors, set which monitors this threshold should be applied to in the threshold list.

  1. set the threshold (triggered one week before certificate expiration)

Same as above, add a new configuration threshold, configure the alert expression - when the indicator validity timestamp end_timestamp, now() function for the current timestamp, if you configure to trigger the alert one week in advance i.e.: end_timestamp <= (now() + 604800000) , where 604800000 is the total time difference of 7 days. milliseconds.

Eventually you can see the triggered alarms in the alarm center.

  1. Alarm notification (timely notification via NailWeChatFlysheet, etc.)

Monitoring System -> Alert Notification -> Add Recipients

You can refer to the help file for the token configuration of Nail WeChat Flying Book, etc.

Alert Notification -> Add new alert notification policy -> Enable notification for the recipients you just configured

  1. OK When the threshold is triggered, we can receive the corresponding alarm message, if there is no notification, you can also view the alarm information in the alarm center.


The practice of monitoring SSL certificates here, of course, for hertzbeat this function is just the tip of the iceberg, if you think hertzbeat this open source project is good if you welcome to give us in the GitHub Gitee star oh, thank you very much. Thank you for your support. The author!