In This Article
An expired SSL certificate can take down a perfectly healthy website in seconds. No server crash, no code bug, no infrastructure failure — just a browser warning page that tells every visitor your site can't be trusted. Expired domains are even worse: lose your domain and someone else can register it, redirect your traffic, and impersonate your brand.
These aren't hypothetical risks. They happen to organizations of every size, and they're entirely preventable. With Down Device v3.8.0, we're introducing SSL certificate and domain expiration monitoring with tiered email alerts — so you know weeks in advance when something is about to expire and have plenty of time to act.
The Hidden Danger of Expired Certificates and Domains
SSL certificates and domain registrations share an uncomfortable trait: they expire silently. There's no alarm built into the infrastructure itself. Your certificate authority won't shut down your server gracefully. Your registrar won't pause your DNS records with a friendly maintenance page. One day the certificate or domain is valid; the next day it isn't, and the consequences are immediate.
When Certificates Expire
An expired SSL certificate triggers browser security warnings that most users won't click through. Chrome, Firefox, and Safari all display full-page interstitials telling visitors the connection is not private. For most users, that warning is indistinguishable from a hacked website. They leave and don't come back.
The business impact goes beyond lost traffic. Expired certificates break API integrations, webhook deliveries, and machine-to-machine communication. An internal microservice with an expired cert can cascade failures across your entire application stack. Payment processors, identity providers, and third-party APIs will all refuse to connect to an endpoint serving an expired certificate.
In 2020, Microsoft Teams suffered a global outage because a single authentication certificate expired. Millions of users were locked out for hours. In 2024, Starlink experienced connectivity issues traced back to an expired ground station certificate. These aren't small teams without resources — they're organizations with thousands of engineers and dedicated infrastructure teams. Certificate expiration sneaks past everyone.
When Domains Expire
A lapsed domain registration is potentially catastrophic. Once a domain enters the expired state, it goes through a grace period, a redemption period, and then becomes available for anyone to register. Domain squatters and malicious actors actively monitor expiring domains — especially those with existing traffic, backlinks, and brand recognition.
If someone else registers your expired domain, they control your email routing, your web traffic, and your brand identity on that domain. Customers who bookmarked your site or have it saved in their password manager will land on whatever the new owner puts there. Recovering an expired domain from a third party is expensive, time-consuming, and sometimes impossible.
Even without a malicious takeover, a lapsed domain means your website, email, and every service tied to that domain simply stops working. DNS resolution fails, and there's no graceful fallback.
The Real Cost of Expiration
According to a Netcraft study, over 1 million SSL certificates expire without renewal every month. Most of these cause at least some period of downtime before the team responsible notices. The average time to detect an expired certificate without automated monitoring is 4–6 hours — and for internal services, it can be days.
What We Built
Down Device v3.8.0 adds two new monitor types to the platform: SSL certificate monitors and domain expiration monitors. Both live on the unified monitoring page alongside your existing device, website, and mail server monitors — giving you a single dashboard for all of your infrastructure monitoring.
Here's what each monitor type does:
- SSL certificate monitoring connects to your server, retrieves the certificate chain, validates it, and tracks the expiration date. You receive email alerts at 30 days, 14 days, and 7 days before the certificate expires.
- Domain expiration monitoring performs WHOIS lookups against your domain's registrar, parses the registration expiration date, and sends the same tiered email alerts at 30, 14, and 7 days before expiry.
Both monitor types count toward your plan's combined monitor limit alongside devices, websites, and mail servers. If your plan includes 50 monitors, you can allocate them however you want — 20 devices, 15 websites, 10 SSL certificates, and 5 domains, for example. This keeps pricing simple and gives you flexibility to monitor what matters most to your infrastructure.
How SSL Monitoring Works
Adding an SSL monitor is straightforward: enter the hostname you want to monitor and Down Device handles the rest. Here's what happens behind the scenes on each check.
Certificate Retrieval
Down Device connects to your server on port 443 and performs a TLS handshake to retrieve the certificate presented by the server. This is the same certificate your visitors' browsers see, which means the monitor validates exactly what your users experience — not a cached or theoretical state, but the live certificate being served right now.
Chain Validation
A valid SSL certificate isn't just about the leaf certificate on your server. It requires a complete chain of trust from your certificate through any intermediate certificates up to a trusted root certificate authority. Down Device validates the entire chain, checking that each certificate in the chain is properly signed by its issuer and that the chain terminates at a recognized root CA.
Chain validation catches issues that simple expiration checking misses: a missing intermediate certificate, a revoked CA, or a misconfigured server that serves an incomplete chain. These problems cause browser warnings just like an expired certificate, but they're harder to diagnose because the leaf certificate itself looks fine.
Expiry Tracking and Alert Schedule
Once the certificate is retrieved and validated, Down Device records the expiration date and calculates the days remaining. The alert schedule is designed to give you escalating urgency:
| Days Before Expiry | Alert Level | Purpose |
|---|---|---|
| 30 days | Info | Early heads-up. Plan the renewal, create a ticket, schedule the work. |
| 14 days | Warning | Renewal should be in progress. If auto-renewal is configured, verify it's working. |
| 7 days | Urgent | Immediate action required. The certificate expires in one week. |
This tiered approach means the first alert arrives when there's still plenty of time to act through normal workflows. If the 30-day alert gets lost in a busy inbox, the 14-day alert follows up. And the 7-day alert is the final safety net before expiration becomes imminent.
How Domain Monitoring Works
Domain expiration monitoring follows the same principle as SSL monitoring but operates at a different layer. Instead of connecting to a server and inspecting a certificate, Down Device queries the WHOIS system to determine when your domain registration expires.
WHOIS Lookups
The WHOIS protocol is the standard mechanism for querying domain registration data. Down Device performs WHOIS lookups against the authoritative registrar for your domain and parses the registration expiration date from the response. This works across all major TLDs — .com, .net, .org, country-code TLDs, and newer gTLDs.
WHOIS data formats vary between registrars and TLDs, which is one reason manual WHOIS checking is unreliable. Some registrars format dates as "2026-06-15," others as "15-Jun-2026," and still others embed the date in free-form text fields. Down Device normalizes all of these formats to extract a reliable expiration date regardless of the registrar's response format.
Expiry Detection and Alerts
Once the domain expiration date is parsed, the same tiered alerting system applies: email notifications at 30, 14, and 7 days before the domain registration expires. The alert includes the domain name, the registrar, the expiration date, and the number of days remaining.
Domain monitoring is especially valuable for organizations managing multiple domains. If you own your primary domain plus regional variants, product-specific domains, or legacy domains that still receive traffic, keeping track of renewal dates across different registrars is a real operational challenge. A single missed renewal in a portfolio of 20 domains can cause serious disruption.
Auto-Renewal Is Not Enough
Many teams assume auto-renewal will handle domain expiration. But auto-renewal fails when the payment method on file expires, when the credit card is replaced, when the registrar account email goes to a former employee, or when the registrar changes its billing policies. Domain monitoring is the safety net that catches these failures before your domain lapses.
Tiered Alerting: 30, 14, and 7 Days
The choice of 30, 14, and 7 days for the alert schedule is deliberate. Each threshold corresponds to a different operational reality.
30 Days: Plan and Schedule
A month out, renewal is a task to schedule, not an emergency. This alert gives your team time to follow normal workflows: create a ticket, assign it to the right person, order the certificate through your standard procurement process, and schedule a maintenance window for deployment if needed. For domains, 30 days is enough time to resolve any payment or account issues with your registrar.
14 Days: Verify and Act
At two weeks, the renewal should already be in progress. This alert serves as a checkpoint. If you configured auto-renewal, now is the time to verify it actually ran. If the renewal is a manual process, this is the reminder that it needs to happen this week, not next.
7 Days: Final Warning
One week before expiry is the last safety net. If you're receiving this alert, something fell through the cracks — the earlier alerts were missed, auto-renewal failed, or the renewal process stalled. This alert signals that immediate, manual action is required to prevent an outage.
The three-tier system is designed so that no single missed alert leads to an expiration. Even if the 30-day alert gets buried, the 14-day alert arrives. Even if both are missed, the 7-day alert provides a final window for action. It takes ignoring all three alerts — across three weeks — for an expiration to catch you by surprise.
Best Practices for Managing SSL and Domains
Monitoring is the safety net, but there are operational practices that reduce the chance you'll need it.
Centralize Certificate Management
Scattered certificate management is the top cause of unexpected expirations. When different teams or individuals manage certificates for different services, nobody has a complete picture. Consolidate certificate issuance through a single provider or internal process, and maintain an inventory of every certificate in your infrastructure.
Use Short-Lived Certificates Where Possible
Let's Encrypt popularized 90-day certificates with automated renewal. Shorter certificate lifetimes force you to automate the renewal process, which is ultimately more reliable than a manual process with a long-lived certificate. If you're running certificates with one-year lifetimes and manual renewal, consider switching to automated issuance with shorter lifetimes.
Consolidate Domain Registrations
If your domains are spread across multiple registrars, consolidate them. A single registrar account with consistent payment methods and contact information is far easier to manage than five registrar accounts with different credentials, different payment methods, and different renewal policies.
Separate Monitoring from Renewal
Monitoring expiration and managing renewal are two different functions. Your certificate authority or registrar handles renewal. Down Device handles monitoring. Don't rely on the same system for both — if your CA's notification system fails, your independent monitor still catches the approaching expiration.
Monitor Internal Certificates Too
It's easy to focus on public-facing certificates and forget about the certificates securing internal services: database connections, service mesh mTLS, internal APIs, VPN endpoints, and admin panels. These certificates expire on the same schedule as your public ones, and their failures can be harder to diagnose because they manifest as inter-service communication breakdowns rather than visible browser warnings.
Getting Started
SSL certificate and domain expiration monitoring are available now in Down Device v3.8.0 on all plans. Adding a monitor takes less than a minute: navigate to the monitoring page, select SSL or Domain as the monitor type, enter the hostname or domain name, and save. Down Device runs the first check immediately and begins the alerting schedule based on the detected expiration date.
Both monitor types count toward your plan's combined monitor limit, so there's no separate add-on or pricing tier. If you have room in your current plan, you can start monitoring certificates and domains today at no additional cost.
Never Miss an Expiration Again
Down Device monitors your SSL certificates and domain registrations with automatic email alerts at 30, 14, and 7 days before expiry. Combined with device, website, and mail server monitoring on a single dashboard — everything you need to keep your infrastructure running. Free plan available — no credit card required.
Start Free TrialWrapping Up
Expired certificates and lapsed domains are among the most preventable causes of downtime, yet they continue to catch teams off guard. The problem isn't technical complexity — it's visibility. When renewal dates are scattered across different providers, different teams, and different calendars, things fall through the cracks.
Down Device v3.8.0 closes that gap with dedicated SSL certificate and domain expiration monitoring built into the same platform you already use for device, website, and mail server monitoring. The tiered alert schedule — 30, 14, and 7 days — gives you three separate opportunities to act before expiration, so a single missed email never results in an outage.
The key takeaways:
- Expired SSL certificates trigger browser warnings that block users and break API integrations. Expired domains can result in permanent loss of your web address.
- SSL monitoring validates the full certificate chain and tracks expiration with email alerts at 30, 14, and 7 days.
- Domain monitoring performs WHOIS lookups to detect registration expiration and follows the same tiered alert schedule.
- Both monitor types live on the unified monitoring dashboard and count toward your combined plan limit.
- Auto-renewal is not a substitute for independent monitoring. Payment failures, account issues, and registrar changes can all cause auto-renewal to fail silently.
If you manage any number of SSL certificates or domains, adding expiration monitoring is one of the highest-value, lowest-effort improvements you can make to your operations. Check out Down Device's plans or contact us to get started.