SSL Certificate Expiry Monitor

Monitor SSL certificate expiry dates across your entire domain portfolio in a single run. Expired or weak certificates cause browser warnings, lost revenue, and security incidents — yet most teams only discover problems after users complain. Schedule automated checks and get structured results with security grading, certificate chain details, and days-until-expiry counts.

Features

• Bulk domain scanning — check hundreds of domains and subdomains in one run
• Security grading — automatic A/B/C/F grade based on key size and days until expiry
• Expiry tracking — calculates exact days remaining for every certificate
• Certificate chain analysis — extracts the full chain from leaf to root CA
• Subject Alternative Names — lists all SAN entries to verify domain coverage
• Protocol detection — reports the negotiated TLS version (TLS 1.2, 1.3)
• Detailed error reporting — captures connection failures, self-signed certs, and hostname mismatches
• Configurable timeout — adjust per-domain connection timeout from 5 to 60 seconds

Input

Field	Type	Required	Default	Description
domains	array	Yes	["google.com"]	Domains or URLs to check. Accepts bare domains, URLs with protocol, or host:port format
timeout	integer	No	10	Connection timeout in seconds per domain (5-60)

Input Example

{
  "domains": [
    "example.com",
    "https://api.example.com",
    "mail.example.com:465"
  ],
  "timeout": 15
}

Output

Each domain produces one dataset item with full certificate details and a security grade.

Key fields:

• domain (string) — the domain that was checked
• protocol (string) — negotiated TLS version (e.g., TLSv1.3)
• issuer (string) — certificate authority that issued the certificate
• validFrom / validTo (string) — certificate validity period
• daysUntilExpiry (integer) — days remaining before expiry
• grade (string) — security grade: A (strong), B (expiring soon), C (weak), F (expired/failed)
• san (array) — Subject Alternative Names covered by the certificate
• certificateChain (array) — full chain from leaf to root
• keySize (integer) — RSA/ECDSA key size in bits
• errors (array) — any connection or certificate errors

Output Example

{
  "domain": "example.com",
  "protocol": "TLSv1.3",
  "issuer": "C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1",
  "subject": "C=US, ST=California, O=Internet Corporation for Assigned Names and Numbers, CN=www.example.org",
  "validFrom": "2024-11-15T00:00:00.000Z",
  "validTo": "2025-12-15T23:59:59.000Z",
  "daysUntilExpiry": 281,
  "serialNumber": "0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f",
  "fingerprint": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0",
  "signatureAlgorithm": "sha256WithRSAEncryption",
  "keySize": 2048,
  "san": ["example.com", "www.example.com"],
  "grade": "A",
  "errors": []
}

Pricing

Event	Cost
Certificate Check	Included in platform usage

Free to use — you pay only for Apify platform compute time.

Use Cases

• Certificate portfolio monitoring — schedule weekly runs across all your domains to catch expiring certificates before they cause outages
• Client website audits — agencies can scan all client sites in one run and report on certificate health
• Compliance reporting — generate certificate inventory reports for SOC 2, PCI DSS, or internal security reviews
• Vendor security assessment — evaluate TLS configuration of third-party APIs and SaaS dependencies
• Post-deployment verification — confirm new certificates are installed correctly after renewal or migration

Related Actors

Actor	What it adds
DNS Propagation Checker	Verify DNS is propagated before checking SSL certificates on new domains
SSL Cipher Suite Checker	Audit the specific TLS cipher suites negotiated by each domain
Security Headers Analyzer	Check HSTS, CSP, and other HTTP security headers alongside SSL

Notes

• The actor handles self-signed and invalid certificates gracefully — they will receive an F grade with error details.
• For domains behind CDNs, the certificate returned is the CDN's edge certificate, not the origin server's.