SSL Certificate Monitoring with APIs

Why Monitor SSL Certificates?

Expired SSL certificates cause browser warnings, break user trust, and can take down entire services. Despite the availability of free certificates from Let's Encrypt, certificate-related outages happen constantly — even at major companies.

What to Monitor

Expiration Date

The most critical check. Certificates typically last 90 days (Let's Encrypt) or 1 year. You want alerts well before expiry — 30 days is a common threshold.

Certificate Chain

A valid certificate needs a complete chain from your certificate through intermediates to a trusted root CA. Missing intermediates cause failures on some devices.

TLS Version

TLS 1.0 and 1.1 are deprecated. Your server should support TLS 1.2 minimum, preferably TLS 1.3.

Key Strength

RSA keys should be at least 2048 bits. ECDSA P-256 or P-384 are also acceptable and faster.

Subject Alternative Names (SANs)

Verify all your domains and subdomains are covered by the certificate.

Automating Certificate Checks

curl "https://api.dnstoolkit.io/dns/certificate?domain=yourdomain.com"

The DNS Toolkit API returns comprehensive certificate information in a single call:

  • Issuer and subject details
  • Validity dates with days until expiration
  • Certificate chain analysis
  • TLS version and cipher suite
  • All Subject Alternative Names
  • OCSP stapling status

Building a Monitoring Script

Combine the certificate API with a cron job or scheduled task to check your domains daily:

import httpx

domains = ["example.com", "api.example.com", "app.example.com"]
for domain in domains:
    resp = httpx.get(f"https://api.dnstoolkit.io/dns/certificate?domain={domain}",
                     headers={"X-API-Key": "your-key"})
    cert = resp.json()
    if cert["days_remaining"] < 30:
        print(f"WARNING: {domain} expires in {cert['days_remaining']} days")

Pairing with Security Headers

While checking certificates, also audit your HTTP security headers:

curl "https://api.dnstoolkit.io/dns/security-headers?domain=yourdomain.com"

This checks for HSTS, CSP, X-Frame-Options, and other headers that complement your TLS configuration.

← All Posts

More from the Blog

MX Record Lookup: Troubleshooting Email Delivery

MX records determine where email for your domain gets delivered. Learn how to look up, interpret, and troubleshoot MX records using the DNS Toolkit API.

How to Detect Open DNS Resolvers

Open DNS resolvers are a security risk and a tool for DDoS amplification attacks. Learn how to detect them on your network and why it matters.

IP Geolocation for Developer Applications

Learn how IP geolocation works, its accuracy limitations, and how to integrate it into your applications using the DNS Toolkit Reverse DNS API.