Certificate Monitoring
Continuous SSL/TLS certificate health monitoring with expiration alerts, protocol/cipher inspection, and auto-discovery across subdomains.
WASViking® Certificate Monitoring runs continuous health checks on SSL/TLS certificates for assets the customer owns. Expiring certificates, weak chains, hostname mismatches, and deprecated protocols are surfaced with risk scoring, and operators get email alerts well before expiry.
This is the portal section at Certificates → Certificate Monitoring (and Certificates → Certificate Events for the timeline).
Enable per asset
Certificate Monitoring is opt-in per asset, set at asset creation or edit time. Open Assets Inventory → Add New Asset (or edit an existing asset) and toggle Monitor SSL.
Enable this option to automatically monitor the SSL certificate expiration of this domain. You will be notified by email 7 days before expiration. If this is a root domain, discovered subdomains will also be monitored.
Monitoring Scope
When the toggle is on, choose the scope:
| Scope | What it monitors |
|---|---|
| Only this domain | The exact hostname on the asset. |
| Domain and discovered subdomains | The root domain plus any subdomains WASViking discovers via passive enumeration (certificate transparency logs, DNS, crawl signals). |
Choosing the broader scope is how a single asset can grow into a list of dozens of monitored hostnames automatically. See Subdomain discovery for the discovery model.
Notification cadence
WASViking sends expiry alerts in advance. Defaults: 30 / 15 / 7 days before expiration. Three independent thresholds, fully configurable.
Configure under Settings → System Settings → Notifications & Alerts → SSL Expiration – Notify in advance.
| Threshold | Default | Editable |
|---|---|---|
| First warning | 30 days | Yes |
| Second warning | 15 days | Yes |
| Final warning | 7 days | Yes |
Routes to the alert destinations configured for your organization (email, Slack, Teams, webhook).
In the portal
SSL Certificates Overview
Three KPI cards summarize the org-wide state.
| Card | Meaning |
|---|---|
| Expiring in N Days | Count of certificates whose notAfter falls within the selected period (filter at the top of the page). |
| Active Certificates | Count of certificates currently in a Valid state. |
| Total Certificates | All certificates the monitor is tracking, including expired and revoked. |
A Filter by Period control switches the lookahead window
(Next 7 days, Next 30 days, Next 1 Year, etc.).
SSL Certificate Monitoring table
| Column | Meaning |
|---|---|
| Subdomain | Hostname being monitored. |
| Last Checked | When the monitor last reached the host. |
| Expiration Date | The certificate's notAfter. |
| Days Remaining | Days until expiry, badge-color-coded by risk. |
| Status | Valid or Expiring Soon. Expired certificates surface as findings. |
| SANs (Count) | Subject Alternative Names on the certificate; click to expand. |
| Monitoring | Per-row toggle to pause/resume monitoring without removing the asset. |
| Action | View Report opens the certificate risk detail. |
Certificate risk detail
Click View Report to open the risk modal. It carries:
- Status badge (
Valid,Expiring Soon,Expired). - Risk badge (
Low,Medium,High,Critical). - Expiration warning prose when expiry is imminent.
Certificate overview table:
| Field | Notes |
|---|---|
| Subdomain | Hostname. |
| Valid until | The notAfter of the certificate. |
| Days until expiry | Convenience field for triage. |
| Protocol | Negotiated TLS protocol (TLSv1.2, TLSv1.3). |
| Cipher suite | Negotiated cipher (e.g., TLS_AES_256_GCM_SHA384 (256 bits)). |
| Issuer | The certificate's Issuer CN (e.g., Let's Encrypt). |
| SANs | Subject Alternative Names list. |
Certificate Events
A second portal page, Certificates → Certificate Events, lists transitions over time:
- Certificate first observed.
- Certificate renewed (new fingerprint).
- Issuer changed.
- Protocol downgraded.
- Cipher weakened.
- Hostname mismatch detected.
- Certificate expired.
Events are append-only and feed both the audit log and webhooks.
Risk amplification on the Asset
In Assets Inventory, each asset row shows an SSL Monitoring
column (Enabled / Disabled) and a Risk Exposure column with
per-severity badges. An asset with monitoring enabled and an expiring
certificate is amplified in the Risk Exposure score.
What turns into a Finding
Certificate Monitoring promotes a Finding when:
- The certificate is expired.
- The certificate is within the final warning threshold (7 days default) without a renewal observed.
- The certificate uses a weak cipher or deprecated protocol (TLSv1.0, TLSv1.1).
- The certificate has a hostname mismatch.
- The certificate chain is broken.
Findings inherit the standard Findings workflow, with status transitions and webhook events.
Plan availability
Certificate Monitoring is available on all plans, with per-plan caps on the number of monitored certificates.
| Plan | Monitored certificates |
|---|---|
| Starter | Limited cap. |
| Pro | Higher cap. |
| Enterprise | Negotiable. |
Tracked under Settings → Usage.
What it does NOT do
- No certificate issuance or renewal. WASViking monitors and alerts; renewal is the operator's responsibility (Let's Encrypt automation, ACME, vendor portal, etc.).
- No private key inspection. The monitor reads the public certificate via standard TLS handshake.
- No CA-side telemetry. WASViking does not query Certificate Transparency logs to enumerate beyond what is needed for subdomain discovery on monitored root domains.
Where it lives in the portal
- Certificates → Certificate Monitoring: dashboard, table, risk detail.
- Certificates → Certificate Events: transitions timeline.
- Assets Inventory: per-asset Monitor SSL toggle and scope selector.
- Settings → System Settings → Notifications & Alerts: SSL expiry advance thresholds.
- Findings: filter by category
tls_misconfigurationorcertificate_expired.