S
SSL Certificate Expiry

SSL Certificate Monitoring for SaaS Companies

Your SaaS product runs on HTTPS. An expired certificate breaks every customer's experience at once. Monitor certificates across your entire infrastructure.

One Expired Certificate Takes Down Every Customer at Once

When a certificate expires on a regular website, one website goes down. When a certificate expires on a SaaS platform, every customer on that platform goes down simultaneously. Thousands of users hitting the same "connection not private" error at the same moment. Support tickets flooding in. Status page going red. Twitter mentions piling up.

This is the SaaS certificate problem in a nutshell: the blast radius isn't one site. It's your entire customer base.

A blog with an expired certificate loses some readers for a day. A SaaS product with an expired certificate loses customer trust, triggers SLA violations, and generates the kind of incident that ends up in a very uncomfortable postmortem. The stakes are fundamentally different.

SaaS-Specific Certificate Challenges

SaaS infrastructure is certificate-dense. Every layer of the stack, every customer touchpoint, and every internal connection relies on TLS. Here's what makes certificate management uniquely complex for SaaS companies.

Custom Domains for Customers

If your SaaS product lets customers use their own domains (app.theircustomer.com instead of theircustomer.yourapp.com), you're managing a certificate for every custom domain. Some SaaS companies handle dozens of these. Some handle thousands. Each one has its own certificate lifecycle, and customers don't think about renewal -- they expect it to just work.

Wildcard Certificates on Subdomains

Most multi-tenant SaaS apps serve customers on subdomains: customer1.yourapp.com, customer2.yourapp.com. A wildcard certificate (*.yourapp.com) covers all of them with a single cert. That's efficient -- until that one wildcard certificate expires and every customer subdomain breaks simultaneously.

API Endpoint Certificates

Your API is the backbone of your SaaS product. Mobile apps, integrations, and customer scripts all connect to api.yourapp.com. If that certificate expires, it's not just the web app that goes down -- it's every integration every customer has built.

Webhook Callback URLs

If your product sends webhooks (and most SaaS products do), those callbacks use HTTPS endpoints. While you don't control your customers' webhook receiver certificates, you do control the certificate on the endpoint that serves your webhook payload. An expired cert there means webhook deliveries fail silently.

Microservice-to-Microservice TLS

Modern SaaS architectures use mTLS between internal services. An expired internal certificate doesn't show a browser warning -- it causes service-to-service communication failures that manifest as mysterious application errors. These are some of the hardest certificate issues to diagnose because the symptoms look like application bugs, not certificate problems.

The certificate count adds up fast

A typical SaaS company with custom domain support, API endpoints, webhook infrastructure, and internal services can easily be managing 50-500+ certificates. At that scale, a spreadsheet isn't a management strategy -- it's a liability.

Certificate Types in a Typical SaaS Stack

Understanding what certificates you have is the first step to monitoring them effectively:

Certificate TypeWhat It CoversBlast RadiusPriority
Wildcard (*.yourapp.com)All customer subdomainsEvery tenant on the platformCritical
API endpointapi.yourapp.comAll API consumers and integrationsCritical
Main marketing siteyourapp.com / www.yourapp.comProspects and public-facing pagesHigh
Customer custom domainsapp.customerdomain.comIndividual customerMedium per cert, high in aggregate
Internal service mTLSService-to-service communicationInternal functionalityMedium
Documentation sitedocs.yourapp.comDeveloper experienceMedium
Webhook endpointswebhooks.yourapp.comOutbound integrationsMedium
Staging/preview environmentsstaging.yourapp.comInternal team onlyLow

Monitoring Strategy: Prioritize by Blast Radius

Not all certificate expirations are created equal. A SaaS company's monitoring strategy should be organized by how many customers are affected if a certificate expires.

Tier 1 -- Platform-wide impact. Your wildcard certificate and API endpoint certificate. If either of these expires, every customer is affected. These get the tightest monitoring and the most aggressive escalation. Alerts should route to the on-call engineer and trigger immediate action.

Tier 2 -- Significant impact. Your marketing site, documentation, and aggregate customer custom domains. These affect large groups of users or prospects. Alerts go to the team responsible and should be resolved within a business day.

Tier 3 -- Contained impact. Individual customer custom domain certificates and internal service certificates. Important, but the blast radius is limited. Route these to a renewal queue and handle them systematically.

Monitor every certificate in your SaaS stack

From wildcard certs to custom domains to API endpoints. One dashboard for your entire certificate inventory.

The Solution: Monitor What Your Customers Actually See

SSL Certificate Expiry checks the certificates your endpoints are actually serving -- the same certificates your customers' browsers and API clients validate. It doesn't matter whether those certificates are managed by Let's Encrypt, your cloud provider, or a commercial CA. If the live certificate is approaching expiry, you'll know about it.

Bulk certificate monitoring

Add your entire certificate inventory -- production domains, API endpoints, custom domains, internal services. Monitor them all from one dashboard.

Escalating alerts

Alerts at 30, 14, 7, 3, and 1 day before expiry. Your Tier 1 certificates get the full escalation. Tier 3 certificates get a timely heads-up.

Certificate chain validation

Catch intermediate certificate issues before they cause TLS handshake failures. Chain problems are notoriously hard to debug -- monitoring prevents them.

Co-recipient routing

Route alerts to different teams based on the certificate. Platform certs alert the infrastructure team. Customer domain certs alert the customer success team.

External perspective

Checks from outside your infrastructure, catching issues that internal health checks miss -- like a CDN serving a stale certificate.

How SaaS Companies Use SSL Certificate Expiry

Building the Certificate Inventory

Start by mapping every certificate in your stack. Work through each layer:

  1. Customer-facing endpoints: app.yourapp.com, api.yourapp.com, yourapp.com
  2. Customer custom domains: Every domain your customers have configured
  3. Supporting services: docs.yourapp.com, status.yourapp.com, webhooks.yourapp.com
  4. Internal services: Any externally-reachable internal endpoints

Add each one to your monitoring dashboard. For most SaaS companies, this is a one-time exercise that takes an hour and prevents years of potential incidents.

Integrating with Incident Management

Map SSL Certificate Expiry to your existing incident management process:

  • 30-day alert: Creates a ticket in your project management tool. Assigned to the infrastructure team.
  • 14-day alert: Ticket priority escalated. Someone needs to verify renewal is in progress.
  • 7-day alert: Escalate to the engineering lead. This is now a high-priority item.
  • 3-day alert: This is an incident. Assign an owner, set a deadline, confirm renewal today.
  • 1-day alert: All hands. Emergency renewal and deployment.

Custom Domain Lifecycle Management

For SaaS products with custom domain support, certificate monitoring is part of the customer lifecycle. When a customer configures a custom domain, add it to monitoring. When they churn and remove their domain, remove it from monitoring. Build this into your domain provisioning workflow so it happens automatically.

Pricing for SaaS Scale

The free plan covers 3 certificates -- enough to monitor your core platform endpoints while evaluating the tool. The Pro plan at $9/month covers unlimited certificates, which is what you need once you're monitoring custom domains and your full infrastructure.

For a SaaS company, $9/month is a fraction of the cost of a single customer support ticket during a certificate outage, let alone the SLA credits, churn risk, and engineering time an outage triggers.

Free

$0

  • Up to 3 items
  • Email alerts
  • Basic support

Pro

$9/month

  • Unlimited items
  • Email + Slack alerts
  • Priority support
  • API access

Get Started

1

Monitor your highest-blast-radius certificates first

Add your wildcard certificate domain and API endpoint. These are the certificates where expiry affects every customer.

2

Add customer-facing endpoints

Marketing site, documentation, status page, and any other public endpoints.

3

Add customer custom domains

If you support custom domains, add each one. Build this into your domain provisioning flow for new customers.

4

Set up alert routing

Route platform-critical alerts to your on-call. Route customer domain alerts to the customer success or infrastructure team.

Related Articles

Related Articles

Part of Boring Tools--boring tools for boring jobs.

Never miss an SSL certificate expiry

Monitor your certificates and get alerts before they expire. Free for up to 3 certificates.