Features

TLS / SSL Certificate Monitoring

We follow the certificate transparency logs so that we can gain intelligence on all certificates issued for a specific domain. These are parsed in real time as they are issued and we can send notifications for new or expiring certificates.

Real-Time Certificate Transparency Monitoring

Certificate Transparency (CT) logs are public records of all SSL/TLS certificates issued by Certificate Authorities. ZoneWatcher monitors these logs in real-time, providing you with immediate visibility into all certificates issued for your domains.

Unauthorized Certificates
Detect unauthorized certificate issuance that could indicate a security breach
Legitimate Tracking
Track legitimate certificates issued by your team or automated systems
Subdomain Discovery
Monitor subdomains you might have forgotten about
Third Party Vendors
Keep an eye on certificates issued to third-party partners like support software under your domain

Certificate Expiration Alerts

Problem

Expired SSL certificates cause website outages, browser security warnings, and erode user trust. ACME clients like certbot typically renew around 30 days before expiry, but if the renewal fails silently you may not notice until it's too late.

Solution

ZoneWatcher monitors Certificate Transparency logs for your domains and intelligently detects when a certificate is approaching expiration without a replacement. You'll receive alerts at 7, 5, 2, and 1 days before expiry — only if no renewal has been detected.

Smart Renewal Detection

New certificates don't explicitly reference the certificate they're replacing. ZoneWatcher uses intelligent heuristics to determine whether a certificate has been renewed, so you only get alerted when there's a real problem.

Domain Matching

We compare the common name and all Subject Alternative Names (SANs) between the expiring certificate and any newer certificates. A renewal must cover all the same domains.

Issuer Matching

The replacement certificate must come from the same Certificate Authority. A new Let's Encrypt certificate won't suppress alerts for an expiring DigiCert certificate, since they likely serve different purposes.

Validity Comparison

The newer certificate must have an expiration date further in the future than the current one. This ensures we're looking at a true successor, not an older or overlapping certificate.

Notification Schedule

We check certificates daily and send notifications at specific milestones before expiry. The 7-day window avoids false positives from ACME clients that renew certificates late in their lifespan, while still giving you enough time to act if something has gone wrong.

7
days before
5
days before
2
days before
1
day before

New Certificate Notifications

Stay informed about all new certificates issued for your domains. When a new certificate appears in the Certificate Transparency logs, ZoneWatcher immediately analyzes it and provides detailed information.

Certificate Authority
Who issued the certificate
Domains Covered
All domains and subdomains included
Validity Period
Issue date and expiration date
Certificate Type
DV, OV, or EV validation level
Key Information
Algorithm, key size, and other technical details

Security Threat Detection

Certificate transparency monitoring is a crucial component of domain security. ZoneWatcher helps you identify potential security threats before they impact your business.

Rogue Certificates

Certificates issued without your knowledge or authorization

Subdomain Security

See which subdomains are active and may be open for attackers to find

Subdomain Discovery

Unexpected certificates revealing forgotten or unauthorized subdomains

Certificate Misissuance

Certificates that don't match your organization's policies

Comprehensive Certificate Database

ZoneWatcher maintains a comprehensive database of all certificates ever issued for your domains. This historical record provides valuable insights for security and compliance.

Compliance Auditing
Demonstrate certificate management compliance
Security Investigations
Trace the history of certificate changes during incidents
Renewal Planning
Understand certificate usage patterns across your infrastructure
Vendor Management
Track which Certificate Authorities your organization uses

Multiple Notification Channels

Certificate monitoring alerts can be delivered through all the same channels as DNS notifications to ensure you receive alerts where you need them most.

Email
Detailed certificate reports and summaries
Slack
Quick alerts in your security or infrastructure channels
Microsoft Teams
Integration with enterprise communication workflows
Discord
Real-time notifications for development teams
logo--github Github Issues
Automated issue creation in your GitHub repository for easy tracking
Webhooks
Custom integrations with SIEM systems or ticketing platforms

Enterprise Certificate Management

For organizations managing hundreds or thousands of certificates, ZoneWatcher provides enterprise-grade features to help you stay organized and compliant.

Portfolio Overview

Certificate portfolio overview and analytics

CA Analysis

Certificate Authority usage analysis

Workflow Integration

Integration with certificate management workflows

API Access

API access for automated certificate inventory management

Protect Your SSL Infrastructure

SSL/TLS certificates are critical to your website's security and trustworthiness. Don't leave certificate monitoring to chance. Start your free trial and gain complete visibility into your certificate landscape with real-time monitoring and proactive alerts.

Ready to protect your DNS?

Start your free trial today and get full access to all monitoring features.