Why expiration monitoring matters
Certificate expiry is the most preventable outage on the internet, yet it still takes down major sites every year. The typical failure story is always the same: the person who set up the certificate left, the renewal email went to a dead mailbox, and the first alert was customers reporting security warnings.
A sane renewal policy
- Automate: use ACME (Let's Encrypt, ZeroSSL or your CA's ACME endpoint) so certificates renew unattended
- Alert early: treat 30 days remaining as a warning and 14 days as an incident — automation should have renewed by then
- Check every endpoint: apex, www, API and mail hostnames often carry separate certificates with separate clocks
While you're at it, run the full SSL certificate installation check — expiration is only one of the ways certificates fail.