Skip to main content
LIVE IN BETA · 104 EARLY ADOPTERS

Stop getting paged
at 2am for
expired certs

The complete certificate intelligence platform. Monitor SSL certificates, discover subdomains, track uptime from 20 global regions — all in one place.

TRY SSL CHECKER
Join 104+ early adopters monitoring their certificates
certwatch — certificates
$certwatch list --org production
CERTIFICATES (4 total, 1 warning)
HOSTNAMEEXPIRESDAYSSTATUSSOURCE
api.example.comMar 15, 202652● validpublic
dashboard.internalFeb 28, 202637● validagent
db.cluster.localFeb 03, 202612● expiringk8s
*.example.comJun 20, 2026149● validpublic
Alert sent to #ops-alerts: db.cluster.local expires in 12 days
74%
of orgs face cert outages
104+
early adopters
5min
check intervals
90d
certificate lifespans
// PLATFORM

Your certificate mission control

One platform for certificate monitoring, subdomain discovery, and global uptime tracking.

Monitor SSL certificates across public domains, private networks, and Kubernetes clusters.

Public domain scanning from global edge
Private infrastructure via lightweight agent
Native cert-manager integration
Multi-channel alerts (Slack, PagerDuty, Email)
Start Monitoring
certificates — production
DOMAINSTATUSDAYS
api.example.com● valid52
dashboard.internal● valid37
db.cluster.local● expiring12
// CERTIFICATE MONITORING

Monitor what others can't reach

Public domains, private networks, or Kubernetes clusters. Pick your method—or use all three.

Add any public domain. We check certificates from our global edge nodes every 5 minutes.

Zero installation
Full chain validation
OCSP revocation checks
5-minute intervals
// KUBERNETES NATIVE

The only SSL monitor that speaks
cert-manager natively

Auto-discover Certificate CRDs. Detect stuck ACME challenges. Monitor the full cert-manager lifecycle—not just TLS secrets.

Other SSL Monitors

Sees: TLS Secrets only
Monitors: Certificate expiration
Detects issues: After certificates fail
ACME challenges: Not monitored
cert-manager CRDs: Invisible

CertWatch

Sees: Certificate CRDs + TLS Secrets
Monitors: Full certificate lifecycle
Detects issues: Before they cause outages
ACME challenges: Tracks stuck challenges
cert-manager CRDs: Native integration
kubectl get certificate -Acert-manager.io/v1
NAMESPACENAMEREADYSECRETAGECERTWATCH
productionapi-tlsTrueapi-tls-secret45d● monitored
stagingweb-tlsTrueweb-tls-secret12d● monitored
productiondb-tlsFalsedb-tls-secret8h⚠ challenge stuck
CertWatch detected: ACME challenge stuck for 8h → Alert sent to #ops-alerts
$ helm install certwatch oci://ghcr.io/certwatch-app/helm-charts/cw-stack --set certManager.enabled=true
edge-network — global
20 REGIONS
NA5EU6APAC7SA1AF1
COMING SOON
// GLOBAL EDGE MONITORING

Monitor from everywhere,
not just one datacenter

Your users are global. Your monitoring should be too. Check SSL health and uptime from 20 edge locations simultaneously.

Available now: Beta users get instant access to 4 edge locations (US-East, US-West, EU-West, Asia-South) via our uptime checker tool while we build out all 20 regions.

20 edge locations

Monitor from North America, Europe, Asia Pacific, South America, and Africa.

60-second intervals

Check certificates and uptime every minute from all regions simultaneously.

Regional latency tracking

Identify slow regions and geographic-specific SSL issues.

CDN cache warming

Free bonus: keep your CDN cache warm with regular edge requests.

Get 4 Regions NowLive Monitor
COMING SOON
// CT LOG OBSERVATORY

See every certificate
issued for your domains

Certificate Transparency logs are public. We watch them for you. Know instantly when anyone issues a certificate for your domain—even subdomains you didn't know existed.

Subdomain discovery

Find certificates for subdomains you didn't know existed. CT logs reveal all.

Real-time alerts

Know within minutes when new certificates are issued for your domains.

Shadow IT detection

Discover rogue services deployed without approval. Catch them before they become problems.

Complete audit trail

Full inventory of all certificates ever issued for your domains. Nothing hidden.

Join Beta to Be FirstLive CT Logs
ct-observatory — example.comLIVE FEED
api.example.com
Issued by Let's Encrypt·2 min ago
staging.example.com
Issued by Let's Encrypt·5 min ago
You didn't know this!
internal-admin.example.com
Issued by ZeroSSL·12 min ago
Shadow IT detected
Watching for new certs...
// INTEGRATIONS

Alerts where your team works

Get notified in the tools you already use. No context switching, no missed alerts.

AVAILABLE NOW

Slack

LIVE

Real-time alerts in your workspace

PagerDuty

LIVE

Incident management integration

Email

LIVE

Notifications to any address

Webhooks

LIVE

Custom HTTP callbacks

COMING SOON

Discord

SOON

Alerts in your Discord server

Microsoft Teams

SOON

Alerts in Teams channels

Phone/SMS

SOON

Critical alerts via phone

Missing your favorite tool?Request it →
// FEATURES

Everything you need

No fluff. Just the features that prevent 2am pages.

Full chain validation

Validate entire certificate chains from leaf to root. Detect missing intermediates, expired certs, and self-signed issues.

Revocation checking

OCSP and CRL verification. Know if certificates are revoked before they cause issues.

5-minute intervals

Check certificates as frequently as every 5 minutes. Customizable alert thresholds at 30, 14, 7, or 1 day.

Multi-channel alerts

Slack, PagerDuty, Email, and Webhooks. Get notified where your team already works.

Prometheus metrics

Expose certificate metrics to Prometheus. Days until expiry, validity status, chain health.

Weak crypto detection

Detect weak RSA keys (<2048 bit), deprecated SHA1 signatures, and other security vulnerabilities.

┌─────────────────────────────────────────┐
│  More features shipping every sprint.   │
│  Request yours at github.com/certwatch  │
└─────────────────────────────────────────┘
// WHY CERTWATCH

Stop fighting with spreadsheets
and cron jobs

See how DevOps teams evolved from manual tracking to automated certificate monitoring.

1

Manual Tracking

Spreadsheets & calendar reminders

Certificates forgotten until they expire
No chain validation or security checks
Scales poorly beyond ~10 certificates
DomainExpiresRenewed?Notes
api.example.comMar 15, 2026...
db.internalJan 18, 2026EXPIRED!
2

DIY Scripts

Cron jobs with curl & openssl

Can't reach private network endpoints
Fragile parsing of openssl output
High maintenance burden
# /etc/cron.d/check-certs
*/30 * * * * /opt/scripts/check-certs.sh

# check-certs.sh
echo | openssl s_client -connect api.example.com:443 \
  2>/dev/null | openssl x509 -noout -dates | grep...

# ❌ Breaks when openssl output format changes
# ❌ Can't reach internal.db behind firewall
# ❌ No retry logic, no proper alerting
3

Other SSL Monitors

Public-only monitoring services

No private infrastructure support
No cert-manager integration
Limited to public domain scanning
# Other monitors can only scan public domains
$ curl https://api.sslmonitor.com/check
 -d domain=internal.database.local

Error: Domain not publicly accessible

# ❌ Your private infrastructure is invisible

CertWatch

The complete solution

Monitor public + private infrastructure
Native cert-manager integration
5-minute check intervals
Full chain & revocation validation
Multi-channel alerts (Slack, PagerDuty, etc)
Prometheus metrics included
# Deploy in 2 minutes
$ docker run -d cw-agent -e CW_API_KEY="your-key"

✓ Auto-discovered 47 certificates
✓ Monitoring public + private endpoints
✓ cert-manager integration active
✓ Prometheus metrics on :8080

# Zero maintenance. Just works.
// FAQ

Questions

Deploy our lightweight Docker agent inside your network. It pushes certificate data outbound—no inbound firewall rules needed. The agent is only 15MB and includes Prometheus metrics.

FREE DURING BETA

Start monitoring in
under 2 minutes

No credit card required. Help us shape the product and get early adopter perks when we launch.

Join 104+ early adopters
100 certificates
5-minute check intervals
Multiple alert channels
Kubernetes integration
90-day history
Team collaboration

Built by engineers who've been paged at 2am one too many times.