Back to blog
FILE 0xE6·CERTWATCH: 18 VALIDATORS FOR EVERYTHING THAT BREAKS WHEN YOU

CertWatch: 18 validators for everything that breaks when your cert does

June 27, 2026 · certwatch, ssl, monitoring, devops, security

The last time a certificate expiry caused an outage at a company I worked with, the alert came from a customer reporting they couldn't log in. The cert had expired at 4 AM. Nobody noticed until 9:30 AM when support started getting calls.

SSL certificate expiry alerts are solved. Dozens of monitoring tools send you an email 30 days before expiry. What's not solved is the rest of the picture — the other 17 things that go wrong around certificates and domains.

CertWatch is the tool I built to cover all of them.

The 18 validators

SSL/TLS

DNS

HTTP behavior

Security headers

Platform-specific

What the weekly digest looks like

CertWatch — weekly summary — cwfrazier.com

✓  TLS 1.3 only — no deprecated protocol support
✓  Certificate valid — expires 2026-09-15 (80 days)
✓  CT logs verified — 2 logs
⚠  CAA record missing — any CA can issue for cwfrazier.com
✓  HSTS max-age 31536000, includeSubDomains, preload
✓  Preload list: confirmed
✓  HTTP→HTTPS: clean redirect, 1 hop
✓  CSP header present
⚠  Cookie 'session' missing SameSite attribute
✓  SRI on all third-party scripts
✓  OCSP stapling active
✓  No weak ciphers detected

2 warnings across 18 checks.
Add CAA record: TYPE257 0 issue "letsencrypt.org"
Set-Cookie: session=...; Secure; HttpOnly; SameSite=Strict

How the alerting works

CertWatch runs validators on a schedule you configure per domain. Thresholds are configurable: you can set cert expiry warnings at 90/30/14 days or customize to 45/14/3. Alerts go to email, Slack, or PagerDuty.

The severity model:

Who this is for

CertWatch is useful for teams that:

The SRI and cookie security validators catch things that routinely appear in penetration test reports — findings that turn into expensive remediation tickets. Catching them in weekly monitoring is cheaper.

CertWatch is in early access.