Back to features

Feature

SSL & TLS monitoring

A real TLS handshake against every domain on every check. Not a CT log lookup, not a screen-scrape — Xpiry connects to your server, completes the handshake, and records what it saw.

What gets recorded on every check

  • Certificate chain — leaf, intermediates, and validation against the system trust store. If your server is missing an intermediate, you'll see it here even if your browser silently patches it.
  • Expiry & validity window — not_before, not_after, days remaining. Alerts fire on configurable thresholds (30/14/7/3/1 days by default).
  • Issuer and subject — full DN plus the common name, with known-CA recognition (Let's Encrypt, DigiCert, Sectigo, GlobalSign, Cloudflare, Google Trust Services, ZeroSSL, Buypass, Entrust, GoDaddy).
  • SAN list — every Subject Alternative Name on the cert, fully expandable on the domain page.
  • Public key & signature — algorithm, key size, signature algorithm, plus SHA-256 fingerprints of both the certificate and its SubjectPublicKeyInfo (SPKI).
  • Key usage & extended key usage — what the cert is allowed to be used for.
  • TLS version negotiated — and a probe of which versions your server still supports (1.3, 1.2, 1.1, 1.0, SSL 3). Deprecated versions are flagged.
  • Cipher suite — name, bit strength, and whether it provides forward secrecy.
  • OCSP stapling — whether your server is stapling a fresh OCSP response, and what status it shows (good / revoked / unknown).
  • ALPN — the protocol your server negotiated (h2, http/1.1, etc.).
  • Self-signed detection — flagged on the domain page with a critical alert and a hard cap on the security grade.

Non-standard ports

If you serve TLS somewhere other than 443 — an admin panel on 8443, a mail server on 993, a registry on 5000 — set the port from the domain's Settings page and Xpiry will handshake there. When a check fails because nothing answered on the configured port, the alert tells you exactly that, with the port included so you can fix it without guessing.

Subdomains share parent certs

When a subdomain check pulls a wildcard cert that also covers the parent (e.g. a SAN list of api.example.com + example.com + *.example.com), Xpiry persists the cert against the parent record too — no extra handshake required. Change detection still runs on the parent, so any rekey or issuer swap fires alerts on both.

How often it runs

SSL checks run on a plan-based interval — every 24 hours on Free, 12 hours on Hobby, 6 hours on Pro, and every hour on Agency. Pick a plan that matches the cadence you need.

Start monitoring in minutes

Free for one domain. No credit card required.

Get started free

See the full feature list or pricing.