How-to
Certificate Monitoring
Add domains to monitor for SSL/TLS certificate expiry, changes, and health status.
2 min readLast updated 26 April 2026
Jump to section
What it does
The certificate monitoring feature tracks the SSL/TLS certificates for your domains. It probes each domain daily and alerts when:
- A certificate is approaching expiry (configurable thresholds: 30, 14, 7, 1 days)
- A certificate changes (issuer, subject, or fingerprint differs from the last probe)
How to use it
- Navigate to Certificates in the sidebar
- Click Add domain and enter the domain name (e.g.
www.example.com) - Edge immediately probes the domain and retrieves certificate details
- The detail page shows: issuer, certificate authority, signature algorithm, SANs, validity dates, SHA-256 fingerprint, min TLS version, and probe method
How probing works
Edge uses three strategies based on domain type:
- Blankitt domains (
*.blankitt.com) — queries the Cloudflare zone SSL API for certificate packs. Never registered as custom hostnames. - Customer domains — registered as Cloudflare SSL for SaaS custom hostnames. Cloudflare issues and manages the certificate; Edge reads the details from the Custom Hostname API.
- Fallback — queries the crt.sh Certificate Transparency API for publicly-logged certificates.
The probe runs daily at midnight UTC. You can also trigger a manual probe at any time from the certificate detail page.
Notification routing
Each certificate can have its own notification routing (email and/or webhook). Set these on the certificate detail page under "Notification routing". If not set, alerts fall back to the cert_expiry rule's routing, then to tenant defaults from Settings.
Status badges
| Status | Meaning |
|---|---|
| Valid (green) | Certificate is valid and expiry is > 30 days away |
| Expiring (amber) | Certificate expires within 30 days |
| Expired (red) | Certificate has expired |
| Pending (grey) | Domain added but not yet probed |
| Not found (amber) | Probe couldn't find a certificate (CDN-managed, private, or misspelled domain) |
Expiry alert thresholds
The cert_expiry detector checks probed certificates against configurable thresholds:
| Days remaining | Severity |
|---|---|
| <= 1 day | Critical |
| <= 7 days | Warning |
| <= 14 days | Info |
| <= 30 days | Info |
Limitations
- Chain validation is not yet available. The probe retrieves individual certificates, not the full chain.
- Private certificates (self-signed or internal CA) cannot be monitored via CT logs. The SSL for SaaS strategy handles CDN-managed certificates that don't appear in CT logs.
- crt.sh rate limiting — Edge spaces fallback requests 250ms apart to avoid throttling.