Your customers discover certificate expiry before your team does — unless you monitor
An expired SSL certificate is not a technical glitch — it is a visible outage. Browsers block. API integrations fail. Support calls flood in. CertControl alerts the right people well in advance — not a shared inbox nobody watches.
14-day free trial · No credit card required · EU hosted
An expired certificate doesn't just take down the website
Most people think of the browser warning. But certificate expiry hits broadly: API integrations fail silently, internal systems using mutual TLS stop communicating, and mail servers get rejected. The fallout compounds faster than you can complete a renewal under pressure.
What happens without monitoring
- Browsers show "Your connection is not private" — users leave
- API calls return SSL errors — integrations stop without warning
- Support calls flood in — customers report the problem before anyone internally knows
- Outages are discovered by customers, not the IT team
- Emergency renewal under pressure — mistakes and stress compound the problem
What happens with CertControl
- Alerts at 60, 30, 14, and 7 days before certificate expiry
- Named recipients — not an inactive shared inbox
- Unified expiry overview across all certificates, sorted by deadline
- ACME integration for automatic certificate requests via Let's Encrypt
- Audit log documenting proactive handling for NIS2 audits
Manual expiry management is running out of time
The CA/Browser Forum has decided to significantly reduce TLS certificate lifetimes heading into 2029. For an organisation with 1,000 certificates, a 47-day maximum means up to 8,000 renewals per year. That is not a number you can manage in a spreadsheet.
Days maximum. Automation is already an advantage today — in a year, it will be a hard requirement.
Days maximum. Manual renewal frequency doubles — the same effort for half the certificate lifetime.
Days maximum. ACME integration is the only scalable solution at that point.
Alerts that reach the right person — with enough context to act immediately
An alert is only useful if it reaches the person who can act on it, with enough context that they know exactly what to do. CertControl does not send generic notifications to shared inboxes.
Thresholds you define
Set alerts at 60, 30, 14, 7, and 1 day before certificate expiry. Critical systems can have additional thresholds. Configure per endpoint group — not just globally.
Named recipients
Alerts go to specific email addresses — not a generic inbox that nobody monitors. Set up primary and backup recipients per certificate or group.
Webhooks to your channels
Send alerts to Slack, Microsoft Teams, PagerDuty, or any system that accepts HTTP POST. Certificate expiry surfaces in the channel your team already uses for operational alerts.
ACME certificate requests
CertControl requests certificates via ACME and Let's Encrypt — HTTP-01 and DNS-01 challenges are handled automatically, and private keys are stored encrypted. The issued certificate is installed manually on your server as a single final step.
Expiry overview
A unified dashboard shows all certificates sorted by expiry date. Red, amber, green — you see at a glance what needs action today and what is coming up.
Audit log and documentation
All alerts, acknowledgements, and renewals are logged automatically. The documentation is ready for NIS2 audits or internal review — you do not need to piece it together after the fact.
Frequently asked questions
What happens when a TLS certificate expires?
Browsers display a security warning and block access — users see the error, not the IT team. API calls fail with SSL errors and integrations stop without warning. Services that use the certificate for authentication stop working. The result is an outage discovered by customers, an emergency renewal under pressure, and potential NIS2 compliance problems.
When should I send the first certificate expiry alert?
For standard certificates: 30 and 14 days. For critical production systems: add 60 days as an early warning. Think about your actual renewal process — if it requires internal approval, an alert 7 days before expiry is too late. With the upcoming 47-day certificates, the first alert should go out at 21 days.
Does CertControl support ACME certificate requests?
Yes. CertControl integrates with the ACME protocol and automatically requests certificates via Let's Encrypt and other ACME-compatible CAs — HTTP-01 and DNS-01 challenges are handled automatically. Private keys are stored encrypted with AES-256-GCM. The issued certificate is installed manually on your server.
Does CertControl monitor internal certificates?
Yes. The CertControl agent scans internal networks behind a firewall and includes internal certificates in the combined expiry monitoring and alerting. AD, mail, intranets, and CI/CD systems are monitored on exactly the same terms as internet-facing endpoints.