SSL Certificate Expiration Monitoring API

Prevent outages caused by expired or misconfigured certificates — with one request.

NetDiag runs TLS checks from 3 regions simultaneously and returns a single JSON with quorum and the fields you actually need: validity, expiry date, days remaining, issuer, protocol, and per-region results.

Try the API
JSON Output Regions: US · EU · APAC Quorum-based Status Free To Start
cURL
TLS certificate check via API
Live Response
READY TO CHECK TLS
JSON

How it works

1

You send a host

Pass a domain name (no full URL needed). Just the hostname like example.com.

2

TLS checks run from 3 regions

US, EU, and Asia-Pacific execute the same TLS handshake in parallel.

3

Results are aggregated with quorum

You get a single status even if one region behaves differently. 2 out of 3 = quorum met.

4

You get one JSON response

Includes validity, expiry, issuer, protocol, and per-region details. Evidence can be collected automatically.

What you get

Core fields (the ones you actually use)

certificateValid

Is the certificate valid right now?

expiresAt

Exact expiry timestamp (ISO 8601)

daysUntilExpiry

For alerting thresholds (7/14/30 days)

issuer / subject

Detect unexpected issuance changes

protocol

TLS version (useful for hardening)

quorum

Alert based on majority behavior

Common issues you can detect early

Cert expiring soon

7/14/30 day warning windows before it's too late

Chain/issuer changes

Detect unexpected changes after renewal

Region-specific differences

Multi-CDN mismatches, mis-routed traffic

Protocol downgrade

Unexpected TLS1.2 fallback on TLS1.3 endpoints

Handshake failures

Intermittent, regional, or load-balancer specific

Wrong certificate served

Per-region comparison catches misconfigs

Use cases

Prevent "it expired overnight" incidents

Schedule a daily check and alert before the renewal window becomes a fire drill. Never wake up to an outage again.

Catch partial rollouts and mismatched certs

When one region still serves the old cert (or a wrong one), you'll see it immediately in the per-region results.

Prove what happened during an outage

Per-region TLS results give you evidence for postmortems and vendor tickets. No more "we can't reproduce it".

Best for: SaaS, APIs, CDNs, and anything behind a load balancer

FAQ

What's the difference between "SSL monitoring" and "certificate expiration monitoring"?
Expiration monitoring focuses on days remaining and expiry date so you can alert before downtime. SSL monitoring often also covers validity, issuer/chain changes, and handshake failures. NetDiag does both.
Do I need to provide a full URL?
No. Use a host (domain) like example.com. This avoids storing or leaking sensitive paths and query strings.
Why multi-region TLS checks?
CDNs, load balancers, and routing can cause different regions to hit different edges — and sometimes different certificates. Single-location checks miss that. Multi-region catches geo-specific issues immediately.
What does "quorum" mean here?
Quorum lets you treat "2 out of 3 regions are healthy" differently than "1 out of 3". It's a practical way to avoid noisy alerts while still catching real problems. You decide the threshold.
What should I alert on?
Common thresholds:
  • 30 days: early warning (renewal planning)
  • 14 days: action required
  • 7 days: urgent
Also alert on issuer/subject changes if you care about strict compliance.
Can NetDiag detect a wrong certificate?
Yes — by comparing per-region TLS results (issuer/subject/expiry). It's especially useful when traffic routes differently across regions or when a CDN edge serves an unexpected cert.
Does ICMP/ping matter for TLS monitoring?
No. TLS checks are over TCP/TLS. Ping is optional and used for general reachability checks. For certificate monitoring, only the TLS handshake matters.
Do you store the certificate or my traffic?
NetDiag returns TLS metadata needed for diagnostics (expiry, issuer, protocol, etc.). We don't store your private keys or intercept any actual traffic. For detailed data handling, see /privacy.