SSL/TLS Certificate Expiry Monitor avatar

SSL/TLS Certificate Expiry Monitor

Pricing

from $1.50 / 1,000 domain checkeds

Go to Apify Store
SSL/TLS Certificate Expiry Monitor

SSL/TLS Certificate Expiry Monitor

Bulk-check TLS certificates for any HTTPS hosts: days-to-expiry, expiry alerts, and issuer/SAN/fingerprint change detection. Pure protocol, no scraping.

Pricing

from $1.50 / 1,000 domain checkeds

Rating

0.0

(0)

Developer

Geo

Geo

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

3 days ago

Last modified

Share

Bulk-check TLS certificates for any HTTPS hosts and get alerted before they expire — plus catch unexpected issuer / SAN / fingerprint changes (CA migrations, mis-issuance, MITM). Pure protocol: it opens a TLS handshake and reads the certificate. No scraping, no anti-bot, no personal data.

Why

A single silently-expired certificate takes down checkout, APIs, or an entire site — and the industry is moving to short-lived (≤200-day, trending 90-day) certificates, multiplying renewal churn. This Actor is the cheap insurance: schedule it, and know days ahead.

Use cases

  • Fleet expiry monitoring — watch every domain/subdomain/API host you own; alert at N days.
  • Change / tamper detection — flag when a cert's issuer, SAN set, or SHA-256 fingerprint changes between runs.
  • CA-migration & compliance tracking — verify a planned issuer switch actually rolled out everywhere.
  • Vendor/counterparty checks — monitor third-party endpoints you depend on.

Input

fieldtypedefaultnotes
domainsstring[] (required)Hostnames, one per line. host:port supported (default 443). https:// is stripped.
warningDaysinteger30Emit an expiry alert when a cert expires within this many days.
detectChangesbooleantrueCompare issuer/SAN/fingerprint to the previous run (baseline stored in the Actor's key-value store).
timeoutSecsinteger12Per-host TLS handshake timeout.
{ "domains": ["example.com", "api.stripe.com:443", "badssl.com"], "warningDays": 30, "detectChanges": true }

Output (one dataset item per host)

status (ok|error), host, port, subject, issuer, validFrom, validTo, daysToExpiry, expiring, expired, fingerprint256, serialNumber, san, changed (+ previousFingerprint/previousIssuer when changed), or error on failure.

Pricing (pay-per-event) & worked cost example

EventPrice (USD)When
actor-start0.01once per run
domain-checked0.0015per host with a certificate successfully read
expiry-alert0.02per host inside the warning window or already expired
cert-changed0.02per host whose issuer/SAN/fingerprint changed vs last run

Failed handshakes are never charged. Worked example — a daily run over 100 hosts with 5 in the warning window: 0.01 + 100×0.0015 + 5×0.02 = $0.26. Measured platform compute for that run is well under $0.01 (a TLS handshake is milliseconds; first 5s of compute is subsidized) — so platform cost is <4% of event revenue.

Integrate

Run on a schedule (e.g. daily), then fan alerts out via Apify webhooks, the API, MCP, or Make/n8n — trigger a downstream notification whenever an item has expiring: true or changed: true.

Limitations

  • Reads the leaf certificate presented for the given SNI; it does not perform full chain-path validation or OCSP/CRL revocation checks.
  • Change detection needs a baseline — the first run for a host records the baseline; changes are flagged from the second run on.
  • Hosts that require client certs, non-standard TLS, or that block the connection return a structured error item.
  • Optional Certificate-Transparency enrichment (planned) will use first-party RFC-6962 log APIs, never third-party scraping.