SSL/TLS Certificate Expiry Monitor
Pricing
from $1.50 / 1,000 domain checkeds
SSL/TLS Certificate Expiry Monitor
Bulk-check TLS certificates for any HTTPS hosts: days-to-expiry, expiry alerts, and issuer/SAN/fingerprint change detection. Pure protocol, no scraping.
Pricing
from $1.50 / 1,000 domain checkeds
Rating
0.0
(0)
Developer
Geo
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
3 days ago
Last modified
Categories
Share
Bulk-check TLS certificates for any HTTPS hosts and get alerted before they expire — plus catch unexpected issuer / SAN / fingerprint changes (CA migrations, mis-issuance, MITM). Pure protocol: it opens a TLS handshake and reads the certificate. No scraping, no anti-bot, no personal data.
Why
A single silently-expired certificate takes down checkout, APIs, or an entire site — and the industry is moving to short-lived (≤200-day, trending 90-day) certificates, multiplying renewal churn. This Actor is the cheap insurance: schedule it, and know days ahead.
Use cases
- Fleet expiry monitoring — watch every domain/subdomain/API host you own; alert at N days.
- Change / tamper detection — flag when a cert's issuer, SAN set, or SHA-256 fingerprint changes between runs.
- CA-migration & compliance tracking — verify a planned issuer switch actually rolled out everywhere.
- Vendor/counterparty checks — monitor third-party endpoints you depend on.
Input
| field | type | default | notes |
|---|---|---|---|
domains | string[] (required) | — | Hostnames, one per line. host:port supported (default 443). https:// is stripped. |
warningDays | integer | 30 | Emit an expiry alert when a cert expires within this many days. |
detectChanges | boolean | true | Compare issuer/SAN/fingerprint to the previous run (baseline stored in the Actor's key-value store). |
timeoutSecs | integer | 12 | Per-host TLS handshake timeout. |
{ "domains": ["example.com", "api.stripe.com:443", "badssl.com"], "warningDays": 30, "detectChanges": true }
Output (one dataset item per host)
status (ok|error), host, port, subject, issuer, validFrom, validTo, daysToExpiry, expiring, expired, fingerprint256, serialNumber, san, changed (+ previousFingerprint/previousIssuer when changed), or error on failure.
Pricing (pay-per-event) & worked cost example
| Event | Price (USD) | When |
|---|---|---|
actor-start | 0.01 | once per run |
domain-checked | 0.0015 | per host with a certificate successfully read |
expiry-alert | 0.02 | per host inside the warning window or already expired |
cert-changed | 0.02 | per host whose issuer/SAN/fingerprint changed vs last run |
Failed handshakes are never charged. Worked example — a daily run over 100 hosts with 5 in the warning window:
0.01 + 100×0.0015 + 5×0.02 = $0.26. Measured platform compute for that run is well under $0.01 (a TLS handshake is milliseconds; first 5s of compute is subsidized) — so platform cost is <4% of event revenue.
Integrate
Run on a schedule (e.g. daily), then fan alerts out via Apify webhooks, the API, MCP, or Make/n8n — trigger a downstream notification whenever an item has expiring: true or changed: true.
Limitations
- Reads the leaf certificate presented for the given SNI; it does not perform full chain-path validation or OCSP/CRL revocation checks.
- Change detection needs a baseline — the first run for a host records the baseline; changes are flagged from the second run on.
- Hosts that require client certs, non-standard TLS, or that block the connection return a structured
erroritem. - Optional Certificate-Transparency enrichment (planned) will use first-party RFC-6962 log APIs, never third-party scraping.