4. Domain Monitoring

Monitor certificate expiry and other common problems

CertKit monitors your public endpoints to verify that the served certificate matches your configuration. Monitoring is independent of issuance. You can monitor any endpoint, even if CertKit doesn’t manage the certificate.

Monitored Domains List

Monitored domains list
The monitored domains list.

Use the grouping options to audit your endpoints:

  • Grouped by Root Domain: If you have many sub-domains, it can be helpful to group by root domain to see all related domains in one place.
  • Grouped by Certificate: See all domains that use a given certificate to ensure they’re all using the latest version.
  • Grouped by Status: Prioritizes failing endpoints for troubleshooting.

Linked vs. Monitoring-only

When you monitor a domain, you can associate a specific CertKit certificate with it. In addition to monitoring expiry, we’ll also ensure that the endpoint is presenting the latest issued leaf certificate. This is especially helpful to catch situations where a certificate renews but deployment failed for some reason.

Add domain
The Add Domain form.
  • Linked: Connected to a CertKit-managed certificate. Any divergence (expired cert, incorrect thumbprint, or missing SAN) causes the status to be yellow or red.
  • Monitoring-only: Use this for third-party or legacy endpoints. Catches common misconfigurations and watches expiry, but doesn’t ensure a specific thumbprint/cert being presented.

Domain Detail

The detail page provides a 90-day chart of observed time-until-expiry. A marker is placed whenever a new certificate is detected.

Domain detail
The domain detail page with expiry history.

Alerts

If a domain gets too close to expiry, we’ll start sending emails to all users configured for those emails in the certificate collection. For 90 day certificates we start sending at 25 days until expiry. Shorter duration certificates alert closer to expiry.