---
title: 'SSL Certificate Monitoring'
description: 'Certificate expiry alerts, chain validation, and TLS handshake timing built into every HTTPS check. Certificate fields emit as OTel span attributes; handshake duration emits as a separate OTel metric.'
canonical_url: 'https://yorkermonitoring.com/features/ssl-monitoring'
---

# SSL monitoring built into every check

Not a separate product, built in.

Every HTTP and browser check inspects the TLS certificate. Certificate fields emit as OTel span attributes; handshake duration emits as a separate OTel metric. Expiry alerts, chain validation, and timing breakdown, with zero additional configuration.

```
# Emitted on every HTTPS check
synthetics.tls.days_until_expiry      42
synthetics.tls.valid_from             2025-11-15T00:00:00Z
synthetics.tls.valid_to               2026-05-15T00:00:00Z
synthetics.tls.issuer_cn              Let's Encrypt Authority X3
synthetics.tls.subject_cn             api.example.com
synthetics.tls.fingerprint_sha256     a1b2c3d4...
synthetics.tls.chain_valid            true
synthetics.tls.self_signed            false

# Emitted as an OTel metric (not a span attribute)
synthetics.tls.handshake_duration     45
```

[Start Free](/sign-up) | [Read Docs](/docs)

## How it works

### 01. HTTP or browser check runs

Any HTTPS check automatically triggers TLS inspection. No extra configuration, no separate certificate monitoring check to maintain.

### 02. TLS handshake inspected

Certificate validity, expiry date, issuer chain, fingerprint, self-signed detection, and handshake duration captured.

### 03. Full chain emitted as span attributes

Certificate chain fields (subject, issuer, validity dates, fingerprint, self-signed flag, chain_valid) emit as span attributes alongside the regular HTTP check telemetry. Handshake duration emits as a separate OTel metric.

### 04. Alert on expiry threshold

Configure your alert threshold: be notified at 30 days, 14 days, or 7 days before expiry. Not at zero.

## Expiry alerts before the user sees it

Alert configurable days before expiry. Not at zero days, but before the certificate becomes a user-facing problem. Configure multiple thresholds: a warning at 30 days, a paging alert at 7 days.

Because SSL inspection is built into every check, not a separate monitoring target, your certificate alert fires from the same check that monitors your endpoint's health. One monitor, complete coverage.

### Certificate expiry timeline

| Time remaining | Alert |
| --- | --- |
| 30 days remaining | Warning alert |
| 14 days remaining | Escalation alert |
| 7 days remaining | Paging alert |
| 0 days remaining | Certificate expired, users see errors |

Yorker alerts at 30d and 7d. You fix it before it hits zero.

## Full chain validation

Not just expiry date. Issuer chain, self-signed detection, and fingerprint inspected on every check run. Know if a certificate was rotated with an incomplete chain before a browser flags it.

Fingerprint changes are surfaced in OTel spans, useful for detecting unexpected certificate rotations or potential certificate substitution.

### Certificate chain inspection

| Field | Value |
| --- | --- |
| Subject CN | api.example.com |
| Issuer CN | Let's Encrypt Authority X3 |
| Root CA | ISRG Root X1 |
| Chain valid | true |
| Self-signed | false |
| Days to expiry | 42 |
| Fingerprint | sha256:a1b2c3d4... |

## TLS timing in OTel

TLS handshake duration emitted as an OTel metric on every check run, anomaly-scored against a 14-day rolling baseline. Slow TLS handshakes show up as performance anomalies in your backend, not just as a vague "slow response" that requires manual diagnosis.

When your TLS handshake starts taking 3x longer after a server configuration change, the anomaly fires before users notice the performance degradation.

### TLS handshake duration: 14-day trend

| Day | Handshake duration |
| --- | --- |
| 14 days ago | 42ms |
| 7 days ago | 44ms |
| 3 days ago | 43ms |
| Yesterday | 45ms |
| Today (anomaly) | 141ms |

+3.1σ from 14-day baseline, anomaly alert firing.

## Unlike standalone SSL monitoring tools

- Most SSL monitoring is a separate product with a separate dashboard and a separate alert pipeline. Yorker SSL intelligence is built into every check: zero additional setup, no second monitoring tool to manage.
- Certificate fields are emitted as OTel span attributes; handshake duration as a metric. Your ClickHouse or Grafana dashboard already has the data alongside your other telemetry, without any additional configuration.
- Anomaly detection on TLS handshake duration means you catch performance regressions in your TLS stack before expiry becomes the concern.

## Related features

### API Monitoring

HTTP checks where TLS inspection runs automatically on every request. See [/features/api-monitoring](/features/api-monitoring).

### OpenTelemetry

TLS span attributes as part of the full OTel insight pack. See [/features/opentelemetry](/features/opentelemetry).

### Alerting

Certificate expiry alerts with multi-location correlation. See [/features/alerting](/features/alerting).

## Put your first check live in one command.

Free tier includes 10,000 HTTP + MCP checks and 1,500 browser checks per month. No credit card required.

[Start Free](/sign-up) | [Read Docs](/docs)

```
npx @yorker/cli init
```