Pricing

from $9.00 / 1,000 results

🛡️ SSL/TLS Certificate Monitor

Scan thousands of websites for expiring TLS certs, extract fingerprint hashes, and run Google Web Risk malware checks without rendering a browser.

Pricing

from $9.00 / 1,000 results

Rating

0.0

(0)

Developer

太郎山田

Actor stats

Bookmarked

Total users

Monthly active users

10 days ago

Last modified

SSL Certificate Monitor API | Expiry, Issuer & TLS Coverage

Maintain robust security posture across your infrastructure by using this tool to continuously monitor SSL/TLS certificates for expiration and configuration drift. When you need to extract security details from thousands of websites, relying on manual checks or heavy web browser rendering is inefficient. By validating connections directly at the protocol level, this SSL monitor delivers lightning-fast scraped results, making it the ideal solution for DevSecOps teams handling massive URL lists.

Run scheduled audits to proactively detect expiring certificates before browsers block access to your web pages or search engines penalize your organic results. You can scrape critical data points to extract issuer organization names, pinpoint self-signed certs, and verify active protocol versions across your entire domain portfolio. Beyond standard TLS validation, you can enable optional Google Web Risk checks using your API key to identify websites flagged for malware, phishing, or social engineering.

Every time you execute the scraper, it extracts highly structured results, including precise expiry timestamps, SHA-256 fingerprint hashes, and full certificate chain coverage. Export the scraped details or integrate them with your email and incident management tools to ensure immediate alerts when any website security status changes.

Store Quickstart

Start with store-input.example.json for a reliable dataset run across three known domains.
If that matches your workflow, switch to store-input.templates.json and pick one of:
Quickstart (Dataset) for first-run validation
Portfolio Watch for larger domain sets
Webhook Alert for operational notifications

Key Features

🔒 Direct TLS inspection — Connects at the protocol level, not through HTTP
⏰ Expiry warnings — Configurable alert threshold (default: 30 days)
🔄 Certificate rotation detection — Tracks fingerprint changes between runs
🔍 Issuer change alerts — Detect when a certificate's issuer changes (potential security issue)
🛡️ Optional Google Web Risk lookup — Commercially usable reputation/threat checks with your own Google Cloud API key
❌ Invalid cert detection — Catches expired, self-signed, and misconfigured certificates

Use Cases

Who	Why
DevOps teams	Prevent certificate expiry outages across all domains
Security teams	Detect unauthorized certificate changes
MSPs	Monitor client SSL certificates at scale
SEO agencies	Verify client sites have valid HTTPS

Input

Field	Type	Default	Description
domains	array	prefilled	List of domains to check SSL certificates for (e.g. ['example.com', 'github.com']). Maximum 200 per run.
port	integer	`443`	Port to connect on (default 443).
expiryWarningDays	integer	`30`	Alert when certificate expires within this many days.
delivery	string	`"dataset"`	How to deliver results. 'dataset' saves to Apify Dataset (recommended), 'webhook' sends to a URL.
webhookUrl	string	—	Required when delivery is 'webhook'.
snapshotKey	string	`"ssl-cert-snapshots"`	Key name for storing snapshots (used for change detection between runs).
concurrency	integer	`5`	Maximum number of parallel requests. Higher = faster but may trigger rate limits.
dryRun	boolean	`false`	If true, runs without saving results or sending webhooks. Useful for testing.

Input Example

{
  "domains": ["google.com", "github.com", "expired.badssl.com"],
  "expiryWarningDays": 30,
  "concurrency": 5,
  "delivery": "dataset"
}

Output

Field	Type	Description
`meta`	object
`results`	array
`results[].domain`	string
`results[].status`	string
`results[].cert`	object
`results[].changes`	array
`results[].warnings`	array
`results[].reputation`	object
`results[].checkedAt`	timestamp
`results[].error`	null

Output Example

{
  "domain": "google.com",
  "status": "initial",
  "cert": {
    "subject": "CN=*.google.com, O=Google LLC, C=US",
    "issuer": "CN=WR2, O=Google Trust Services, C=US",
    "validFrom": "Jan 27 08:36:26 2026 GMT",
    "validTo": "Apr 21 08:36:25 2026 GMT",
    "serialNumber": "1A2B3C4D...",
    "bits": 256,
    "altNames": ["*.google.com", "google.com"],
    "authorized": true,
    "protocol": "TLSv1.3"
  },
  "changes": [],
  "warnings": [
    {
      "type": "expiring_soon",
      "message": "Certificate expires in 28 days",
      "daysLeft": 28
    }
  ],
  "reputation": {
    "provider": "google_webrisk",
    "status": "clean",
    "uri": "https://google.com/",
    "checkedAt": "2026-02-22T05:00:54.606Z",
    "requestedThreatTypes": ["MALWARE", "SOCIAL_ENGINEERING"],
    "threatTypes": [],
    "hasThreats": false,
    "expireTime": null
  }
}

API Usage

Run this actor programmatically using the Apify API. Replace YOUR_API_TOKEN with your token from Apify Console → Settings → Integrations.

cURL

curl -X POST "https://api.apify.com/v2/acts/taroyamada~ssl-certificate-monitor/run-sync-get-dataset-items?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "domains": ["google.com", "github.com", "expired.badssl.com"], "expiryWarningDays": 30, "concurrency": 5, "delivery": "dataset" }'

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")
run = client.actor("taroyamada/ssl-certificate-monitor").call(run_input={
  "domains": ["google.com", "github.com", "expired.badssl.com"],
  "expiryWarningDays": 30,
  "concurrency": 5,
  "delivery": "dataset"
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

JavaScript / Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_API_TOKEN' });
const run = await client.actor('taroyamada/ssl-certificate-monitor').call({
  "domains": ["google.com", "github.com", "expired.badssl.com"],
  "expiryWarningDays": 30,
  "concurrency": 5,
  "delivery": "dataset"
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Tips & Limitations

Schedule weekly runs against your production domains to catch config drift.
Use webhook delivery to pipe findings into your SIEM (Splunk, Datadog, Elastic).
For CI integration, block releases on critical severity findings using exit codes.
Combine with ssl-certificate-monitor for layered cert + headers coverage.
Findings include links to official remediation docs — share with dev teams via the webhook payload.

FAQ

Is running this against a third-party site legal?

Passive public-header scanning is generally permitted, but follow your own compliance policies. Only scan sites you have authorization for.

How often should I scan?

Weekly for production domains; daily if you have high config-change velocity.

Can I export to a compliance tool?

Use webhook delivery or Dataset API — formats map well to Drata, Vanta, OneTrust import templates.

Is this a penetration test?

No — this actor performs passive compliance scanning only. No exploitation, fuzzing, or auth bypass.

Does this qualify as a SOC2 control?

This actor produces evidence artifacts suitable for SOC2 CC7.1 (continuous monitoring). It is not itself a SOC2 certification.

Security & Compliance cluster — explore related Apify tools:

Privacy & Cookie Compliance Scanner | GDPR / CCPA Banner Audit — Scan public privacy pages and cookie banners for GDPR/CCPA compliance signals.
Security Headers Checker API | OWASP Audit — Bulk-audit websites for OWASP security headers, grade each response, and monitor header changes between runs.
DNS / SPF / DKIM / DMARC Audit API — Bulk-audit domains for SPF, DKIM, DMARC, MX, and email-auth posture with grades and fix-ready recommendations.
robots.txt AI Policy Monitor | GPTBot ClaudeBot — Detect GPTBot, ClaudeBot, Google-Extended, and other AI crawler policies in robots.
Data Breach Disclosure Monitor | HIPAA Breach Watch — Monitor the HHS OCR Breach Portal for new HIPAA data breach disclosures.
WCAG Accessibility Checker API | ADA & EAA Compliance Audit — Audit websites for WCAG 2.
📜 Open-Source License & Dependency Audit API — Audit npm packages for license risk, dependency depth, maintainer activity, and compliance posture.
Trust Center & Subprocessor Monitor API — Monitor vendor trust centers, subprocessor lists, DPA updates, and security posture changes.

Cost

Pay Per Event:

actor-start: $0.01 (flat fee per run)
dataset-item: $0.003 per output item

Example: 1,000 items = $0.01 + (1,000 × $0.003) = $3.01

No subscription required — you only pay for what you use.

⭐ Was this helpful?

If this actor saved you time, please leave a ★ rating on Apify Store. It takes 10 seconds, helps other developers discover it, and keeps updates free.

Bug report or feature request? Open an issue on the Issues tab of this actor.

SSL Certificate Monitor — Bulk Expiry & Chain Checker

accurate_pouch/ssl-monitor

Monitor SSL/TLS certificates in bulk. Expiry dates, issuer, protocol version, key size, certificate chain, SAN list. Webhook alerts for expiring certs. 5 domains free.

Manchitt Sanan

SSL Certificate Expiry Monitor

andok/ssl-certificate-monitor

Monitor SSL/TLS certificate validity and expiration dates across thousands of domains to prevent costly outages.

Andok

SSL Certificate Inspector - TLS Audit & Expiry Monitor

santamaria-automations/ssl-certificate-inspector

Inspect SSL/TLS certificates for any domain: chain validation, expiry dates, cipher suites, TLS versions, subject alt names, issuer details, and security scoring. Export data, run via API, schedule and monitor runs, or integrate with other tools.

Alessandro Santamaria

SSL Certificate Checker

automation-lab/ssl-certificate-checker

SSL Certificate Checker connects to domains over TLS and inspects their SSL certificates. It returns structured data about certificate validity, expiry, issuer chain, TLS protocol version, cipher suite, and a security grade from A+ to F.

Stas Persiianenko

SSL Certificate Transparency Search

ryanclinton/crt-sh-search

Search Certificate Transparency (CT) logs via crt.sh to discover every SSL/TLS certificate ever issued for any domain. Enumerate subdomains, audit certificate histories, and monitor for unauthorized certificate issuance -- all through a clean JSON API on Apify with no infrastructure to manage.

ryan clinton

SSL Certificate Checker

rationalistic_counsel/ssl-certificate-checker

J N

Wick Web Fetcher — Browser-Grade Content Extraction

eventful_notoriety/wick-web-fetcher

Fetch web pages using Chrome's real TLS fingerprint. Returns clean markdown for LLMs and RAG pipelines. No headless browser needed — fast and lightweight.

Adam Fisk

SSL Certificate Checker - Bulk Expiry Monitor

pink_comic/ssl-certificate-checker

SSL certificate checker for certificate issuer, expiration dates, chain validation, and protocol details. Monitor certificate health for any domain. For security audits, compliance, and uptime monitoring. No API key required.

Ava Torres

🔒 SSL Certificate Checker — Bulk Expiry Monitor

nexgendata/ssl-certificate-checker

Monitor SSL certificate expiry dates, issuers & security configs across all your domains. Get alerts before certs expire. Bulk scanning for agencies & enterprises. Pay per check.

Stephan Corbeil

SSL Certificate Checker

scrappy_garden/ssl-certificate-checker

Check SSL/TLS certificates for any website: expiration date, issuer, subject, hostname match (SNI), chain/authorization status, and common HTTPS misconfigurations. Useful for SEO audits, security checks, and uptime monitoring.