CertWatch: 18 validators for everything that breaks when your cert does
The last time a certificate expiry caused an outage at a company I worked with, the alert came from a customer reporting they couldn't log in. The cert had expired at 4 AM. Nobody noticed until 9:30 AM when support started getting calls.
SSL certificate expiry alerts are solved. Dozens of monitoring tools send you an email 30 days before expiry. What's not solved is the rest of the picture — the other 17 things that go wrong around certificates and domains.
CertWatch is the tool I built to cover all of them.
The 18 validators
SSL/TLS
- Certificate expiry — 90/60/30/14/7/3/1 day thresholds, configurable per domain
- TLS version — flags TLS 1.0/1.1 (deprecated, still common on legacy servers), warns on TLS 1.2 when 1.3 is available
- Certificate chain — validates the full chain, flags self-signed roots, detects missing intermediates
- Certificate transparency — verifies the cert is in at least one CT log; missing = not trusted by Chrome in 2024+
DNS
- DNS CAA record — verifies CAA records restrict cert issuance to your intended CAs. No CAA = any CA can issue. CRITICAL severity if none found.
- DNS propagation checker — validates your DNS changes have propagated to 8.8.8.8, 1.1.1.1, 8.8.4.4, and 208.67.222.222 consistently. Catches split-brain scenarios.
- DNSSEC validator — checks RRSIG records, DNSKEY presence, and DS record in parent zone. DNSSEC misconfiguration causes resolution failures, not gradual degradation.
HTTP behavior
- HSTS header — checks Strict-Transport-Security presence, max-age ≥ 31536000 (1 year), includeSubDomains, preload flag
- HSTS preload status — queries the Chromium preload list to confirm your domain is actually preloaded, not just configured for it
- HTTP→HTTPS redirect chain — validates the redirect path, flags redirect chains longer than 2 hops, detects redirect loops, checks for open redirects
- Mixed content — detects HTTP resources on HTTPS pages (images, scripts, iframes) that would cause browser security warnings
Security headers
- Content-Security-Policy — detects missing CSP,
unsafe-inline,unsafe-eval, wildcard origins - Cookie security — checks
SecureandHttpOnlyflags,SameSiteattribute, absence on cookies from Set-Cookie response headers. MissingSecureon an auth cookie over HTTPS is a common OWASP finding. - Subresource Integrity — checks whether
<script>and<link>tags loading from third-party CDNs haveintegrityattributes. SRI is what prevented the Polyfill.io supply chain compromise from being worse.
Platform-specific
- OCSP stapling — checks whether the server is stapling an OCSP response. Without stapling, every TLS handshake requires a round-trip to the CA's OCSP server — latency + privacy.
- Wildcard certificate usage — identifies wildcard certs (
*.example.com) and flags CRITICAL if they cover apex + wildcard (e.g.,*.example.com+example.comin the same cert). Wildcard compromise is broader. - Public key pinning status — detects HPKP headers (deprecated, dangerous if misconfigured) and Certificate Pinning (mobile app context). Reports pinning state without asserting it should or shouldn't be there.
- Cipher suite analysis — connects via TLS and enumerates which ciphers the server accepts. Flags known-weak ciphers (RC4, DES, 3DES, export-grade) and notes perfect-forward-secrecy status.
What the weekly digest looks like
CertWatch — weekly summary — cwfrazier.com
✓ TLS 1.3 only — no deprecated protocol support
✓ Certificate valid — expires 2026-09-15 (80 days)
✓ CT logs verified — 2 logs
⚠ CAA record missing — any CA can issue for cwfrazier.com
✓ HSTS max-age 31536000, includeSubDomains, preload
✓ Preload list: confirmed
✓ HTTP→HTTPS: clean redirect, 1 hop
✓ CSP header present
⚠ Cookie 'session' missing SameSite attribute
✓ SRI on all third-party scripts
✓ OCSP stapling active
✓ No weak ciphers detected
2 warnings across 18 checks.
Add CAA record: TYPE257 0 issue "letsencrypt.org"
Set-Cookie: session=...; Secure; HttpOnly; SameSite=Strict
How the alerting works
CertWatch runs validators on a schedule you configure per domain. Thresholds are configurable: you can set cert expiry warnings at 90/30/14 days or customize to 45/14/3. Alerts go to email, Slack, or PagerDuty.
The severity model:
- CRITICAL — requires action before next business day (CAA missing, cert expires in < 7 days, TLS 1.0 active, known-weak cipher in use)
- HIGH — requires action this week (cert expires in < 14 days, HSTS max-age too low, missing CSP)
- MEDIUM — should fix in next sprint (SameSite missing, OCSP not stapling, no SRI on third-party scripts)
- LOW — informational (TLS 1.2 in use when 1.3 available, wildcard cert in scope)
Who this is for
CertWatch is useful for teams that:
- Operate multiple domains across multiple environments (prod, staging, preview) and can't manually track 18 signals × N domains
- Need to demonstrate security posture for SOC 2 or pen test remediation
- Ship frequently and want cert-related issues caught before customers see them
The SRI and cookie security validators catch things that routinely appear in penetration test reports — findings that turn into expensive remediation tickets. Catching them in weekly monitoring is cheaper.
CertWatch is in early access.