We follow the certificate transparency logs so that we can gain intelligence on all certificates issued for a specific domain. These are parsed in real time as they are issued and we can send notifications for new or expiring certificates.
Certificate Transparency (CT) logs are public records of all SSL/TLS certificates issued by Certificate Authorities. ZoneWatcher monitors these logs in real-time, providing you with immediate visibility into all certificates issued for your domains.
Expired SSL certificates cause website outages, browser security warnings, and erode user trust. ACME clients like certbot typically renew around 30 days before expiry, but if the renewal fails silently you may not notice until it's too late.
ZoneWatcher monitors Certificate Transparency logs for your domains and intelligently detects when a certificate is approaching expiration without a replacement. You'll receive alerts at 7, 5, 2, and 1 days before expiry — only if no renewal has been detected.
New certificates don't explicitly reference the certificate they're replacing. ZoneWatcher uses intelligent heuristics to determine whether a certificate has been renewed, so you only get alerted when there's a real problem.
We compare the common name and all Subject Alternative Names (SANs) between the expiring certificate and any newer certificates. A renewal must cover all the same domains.
The replacement certificate must come from the same Certificate Authority. A new Let's Encrypt certificate won't suppress alerts for an expiring DigiCert certificate, since they likely serve different purposes.
The newer certificate must have an expiration date further in the future than the current one. This ensures we're looking at a true successor, not an older or overlapping certificate.
We check certificates daily and send notifications at specific milestones before expiry. The 7-day window avoids false positives from ACME clients that renew certificates late in their lifespan, while still giving you enough time to act if something has gone wrong.
Stay informed about all new certificates issued for your domains. When a new certificate appears in the Certificate Transparency logs, ZoneWatcher immediately analyzes it and provides detailed information.
Certificate transparency monitoring is a crucial component of domain security. ZoneWatcher helps you identify potential security threats before they impact your business.
Certificates issued without your knowledge or authorization
See which subdomains are active and may be open for attackers to find
Unexpected certificates revealing forgotten or unauthorized subdomains
Certificates that don't match your organization's policies
ZoneWatcher maintains a comprehensive database of all certificates ever issued for your domains. This historical record provides valuable insights for security and compliance.
Certificate monitoring alerts can be delivered through all the same channels as DNS notifications to ensure you receive alerts where you need them most.
For organizations managing hundreds or thousands of certificates, ZoneWatcher provides enterprise-grade features to help you stay organized and compliant.
Certificate portfolio overview and analytics
Certificate Authority usage analysis
Integration with certificate management workflows
API access for automated certificate inventory management
SSL/TLS certificates are critical to your website's security and trustworthiness. Don't leave certificate monitoring to chance. Start your free trial and gain complete visibility into your certificate landscape with real-time monitoring and proactive alerts.
Start your free trial today and get full access to all monitoring features.
