SSL Certificate Monitor API | Expiry + Issuer Changes

Check SSL/TLS certificates in bulk, detect expiry and issuer changes, and emit alert-ready rows for ops and SEO teams.

Store Quickstart

• Start with store-input.example.json for a reliable dataset run across three known domains.
• If that matches your workflow, switch to store-input.templates.json and pick one of:
• Quickstart (Dataset) for first-run validation
• Portfolio Watch for larger domain sets
• Webhook Alert for operational notifications

Key Features

• 🔒 Direct TLS inspection — Connects at the protocol level, not through HTTP
• ⏰ Expiry warnings — Configurable alert threshold (default: 30 days)
• 🔄 Certificate rotation detection — Tracks fingerprint changes between runs
• 🔍 Issuer change alerts — Detect when a certificate's issuer changes (potential security issue)
• 🛡️ Optional Google Web Risk lookup — Commercially usable reputation/threat checks with your own Google Cloud API key
• ❌ Invalid cert detection — Catches expired, self-signed, and misconfigured certificates

Use Cases

Who	Why
DevOps teams	Prevent certificate expiry outages across all domains
Security teams	Detect unauthorized certificate changes
MSPs	Monitor client SSL certificates at scale
SEO agencies	Verify client sites have valid HTTPS

Input

Field	Type	Default	Description
domains	array	prefilled	List of domains to check SSL certificates for (e.g. ['example.com', 'github.com']). Maximum 200 per run.
port	integer	443	Port to connect on (default 443).
expiryWarningDays	integer	30	Alert when certificate expires within this many days.
delivery	string	"dataset"	How to deliver results. 'dataset' saves to Apify Dataset (recommended), 'webhook' sends to a URL.
webhookUrl	string	—	Required when delivery is 'webhook'.
snapshotKey	string	"ssl-cert-snapshots"	Key name for storing snapshots (used for change detection between runs).
concurrency	integer	5	Maximum number of parallel requests. Higher = faster but may trigger rate limits.
dryRun	boolean	false	If true, runs without saving results or sending webhooks. Useful for testing.

Input Example

{
  "domains": ["google.com", "github.com", "expired.badssl.com"],
  "expiryWarningDays": 30,
  "concurrency": 5,
  "delivery": "dataset"
}

Output

Field	Type	Description
meta	object
results	array
results[].domain	string
results[].status	string
results[].cert	object
results[].changes	array
results[].warnings	array
results[].reputation	object
results[].checkedAt	timestamp
results[].error	null

Output Example

{
  "domain": "google.com",
  "status": "initial",
  "cert": {
    "subject": "CN=*.google.com, O=Google LLC, C=US",
    "issuer": "CN=WR2, O=Google Trust Services, C=US",
    "validFrom": "Jan 27 08:36:26 2026 GMT",
    "validTo": "Apr 21 08:36:25 2026 GMT",
    "serialNumber": "1A2B3C4D...",
    "bits": 256,
    "altNames": ["*.google.com", "google.com"],
    "authorized": true,
    "protocol": "TLSv1.3"
  },
  "changes": [],
  "warnings": [
    {
      "type": "expiring_soon",
      "message": "Certificate expires in 28 days",
      "daysLeft": 28
    }
  ],
  "reputation": {
    "provider": "google_webrisk",
    "status": "clean",
    "uri": "https://google.com/",
    "checkedAt": "2026-02-22T05:00:54.606Z",
    "requestedThreatTypes": ["MALWARE", "SOCIAL_ENGINEERING"],
    "threatTypes": [],
    "hasThreats": false,
    "expireTime": null
  }
}

API Usage

Run this actor programmatically using the Apify API. Replace YOUR_API_TOKEN with your token from Apify Console → Settings → Integrations.

cURL

curl -X POST "https://api.apify.com/v2/acts/taroyamada~ssl-certificate-monitor/run-sync-get-dataset-items?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "domains": ["google.com", "github.com", "expired.badssl.com"], "expiryWarningDays": 30, "concurrency": 5, "delivery": "dataset" }'

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")
run = client.actor("taroyamada/ssl-certificate-monitor").call(run_input={
  "domains": ["google.com", "github.com", "expired.badssl.com"],
  "expiryWarningDays": 30,
  "concurrency": 5,
  "delivery": "dataset"
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

JavaScript / Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_API_TOKEN' });
const run = await client.actor('taroyamada/ssl-certificate-monitor').call({
  "domains": ["google.com", "github.com", "expired.badssl.com"],
  "expiryWarningDays": 30,
  "concurrency": 5,
  "delivery": "dataset"
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Tips & Limitations

• Schedule weekly runs against your production domains to catch config drift.
• Use webhook delivery to pipe findings into your SIEM (Splunk, Datadog, Elastic).
• For CI integration, block releases on critical severity findings using exit codes.
• Combine with ssl-certificate-monitor for layered cert + headers coverage.
• Findings include links to official remediation docs — share with dev teams via the webhook payload.

FAQ

Is running this against a third-party site legal?

Passive public-header scanning is generally permitted, but follow your own compliance policies. Only scan sites you have authorization for.

How often should I scan?

Weekly for production domains; daily if you have high config-change velocity.

Can I export to a compliance tool?

Use webhook delivery or Dataset API — formats map well to Drata, Vanta, OneTrust import templates.

Is this a penetration test?

No — this actor performs passive compliance scanning only. No exploitation, fuzzing, or auth bypass.

Does this qualify as a SOC2 control?

This actor produces evidence artifacts suitable for SOC2 CC7.1 (continuous monitoring). It is not itself a SOC2 certification.

Related Actors

Security & Compliance cluster — explore related Apify tools:

• Privacy & Cookie Compliance Scanner | GDPR / CCPA Banner Audit — Scan public privacy pages and cookie banners for GDPR/CCPA compliance signals.
• Security Headers Checker API | OWASP Audit — Bulk-audit websites for OWASP security headers, grade each response, and monitor header changes between runs.
• DNS / SPF / DKIM / DMARC Audit API — Bulk-audit domains for SPF, DKIM, DMARC, MX, and email-auth posture with grades and fix-ready recommendations.
• robots.txt AI Policy Monitor | GPTBot ClaudeBot — Detect GPTBot, ClaudeBot, Google-Extended, and other AI crawler policies in robots.
• Data Breach Disclosure Monitor | HIPAA Breach Watch — Monitor the HHS OCR Breach Portal for new HIPAA data breach disclosures.
• WCAG Accessibility Checker API | ADA & EAA Compliance Audit — Audit websites for WCAG 2.
• 📜 Open-Source License & Dependency Audit API — Audit npm packages for license risk, dependency depth, maintainer activity, and compliance posture.
• Trust Center & Subprocessor Monitor API — Monitor vendor trust centers, subprocessor lists, DPA updates, and security posture changes.

Cost

Pay Per Event:

• actor-start: $0.01 (flat fee per run)
• dataset-item: $0.003 per output item

Example: 1,000 items = $0.01 + (1,000 × $0.003) = $3.01

No subscription required — you only pay for what you use.