Back to features

Feature

Certificate change detection

Unexpected certificate changes are one of the clearest signals that something is wrong. Xpiry catches them on the first check after they happen, classifies them, and tells you whether they look routine or suspicious.

What we diff

On every SSL check, the newly-fetched certificate is compared field-by-field against the previous one stored for that domain. The differ surfaces moves in:

  • SHA-256 fingerprint
  • Public key fingerprint (SPKI)
  • Issuer DN
  • SAN list (added & removed)
  • Validity window
  • Signature algorithm
  • Public key algorithm & size
  • Key usage / EKU
  • Chain validity
  • Self-signed transition

Classifications & severities

Critical
Became self-signed. The site stopped being served by a trusted CA. Almost always means a misconfigured deployment.
Critical
Weakened crypto. Moved to a weaker signature (SHA-1, MD5) or smaller key (sub-2048 RSA, sub-256 EC).
Critical
Chain broken. The trust chain stopped validating — usually a missing intermediate after a re-deploy.
Warning
Issuer changed. Signed by a different CA than last time. Could be a planned migration or an unauthorised reissue.
Warning
Rekeyed. The public key changed. A real rekey, distinct from same-key renewal.
Warning
SANs changed. Hosts added to or removed from the SAN list. Three or more additions auto-bumps to warning even on routine renewals.
Info
Renewed (same key). Normal lifecycle renewal — same SPKI, fresh validity window. Auto-downgraded to info when the CA's known rotation cadence checks out.
Info
Chain restored. A previously-broken chain is validating again. Good news.

Routine renewals don't spam you

Xpiry knows the certificate lifecycle policies of the major CAs (Let's Encrypt 90 days, DigiCert 398, etc.). When a change matches expected rotation timing — same issuer, no SAN drift, sensible validity window — the alert is auto-downgraded from warning to info. Your inbox stays quiet during routine renewals and lights up when something actually moves.

Start monitoring in minutes

Free for one domain. No credit card required.

Get started free

See the full feature list or pricing.