> ## Documentation Index
> Fetch the complete documentation index at: https://docs.devhelm.io/llms.txt
> Use this file to discover all available pages before exploring further.

# SSL Certificate Monitoring

> Monitor SSL/TLS certificate expiration with DevHelm HTTP monitor assertions

By the end of this guide, you'll have an HTTP monitor that alerts you before your TLS certificates expire, giving you time to renew.

<Accordion title="Prerequisites">
  * DevHelm CLI installed or an API token
  * An HTTPS endpoint to monitor
</Accordion>

## Add an SSL expiry assertion

The `ssl_expiry` assertion checks how many days remain before the TLS certificate expires. Add it to any HTTP monitor:

<CodeGroup>
  ```bash CLI theme={null}
  devhelm monitors create \
    --name "example.com SSL" \
    --type HTTP \
    --url https://example.com \
    --frequency 3600 \
    --regions us-east,eu-west \
    --assertion 'ssl_expiry>=30' \
    --assertion '{"severity":"fail","config":{"type":"ssl_expiry","minDaysRemaining":14}}'
  ```

  ```yaml devhelm.yml theme={null}
  monitors:
    - name: example.com SSL
      type: HTTP
      config:
        url: https://example.com
        method: HEAD
        verifyTls: true
      frequencySeconds: 3600
      regions:
        - us-east
        - eu-west
      assertions:
        - config:
            type: ssl_expiry
            minDaysRemaining: 14
          severity: fail
        - config:
            type: ssl_expiry
            minDaysRemaining: 30
          severity: warn
  ```
</CodeGroup>

This setup:

* **Warns** at 30 days — time to plan renewal
* **Fails** at 14 days — urgent action needed

In the CLI, the shorthand `--assertion 'ssl_expiry>=N'` creates a warn-severity assertion; pass a JSON object (as above) when you need fail severity. To add an assertion to an existing monitor, use `POST /api/v1/monitors/{monitorId}/assertions` with a body like `{"severity": "fail", "config": {"type": "ssl_expiry", "minDaysRemaining": 14}}`.

## Choosing thresholds

| Threshold      | Use case                                           |
| -------------- | -------------------------------------------------- |
| 30 days (warn) | Standard renewal reminder with plenty of lead time |
| 14 days (fail) | Critical alert — certificate is close to expiring  |
| 7 days (fail)  | Emergency — immediate action required              |

<Tip>
  If you use auto-renewal (Let's Encrypt, AWS ACM), set a shorter fail threshold (7 days). The warn threshold still catches renewal failures early.
</Tip>

## Check frequency

Certificate expiry doesn't change rapidly, so checking every hour (`3600`) or every 6 hours (`21600`) is sufficient. This saves check quota while still catching issues promptly.

## Combine with other assertions

SSL monitoring works alongside other HTTP assertions:

```yaml theme={null}
assertions:
  - config:
      type: status_code
      expected: "200"
      operator: equals
    severity: fail
  - config:
      type: response_time
      thresholdMs: 5000
    severity: warn
  - config:
      type: ssl_expiry
      minDaysRemaining: 14
    severity: fail
```

## TLS verification

Set `verifyTls: true` (the default) to also catch invalid certificates, hostname mismatches, and untrusted CAs — the check fails immediately rather than just triggering the expiry assertion.

Set `verifyTls: false` only for self-signed certificates in development environments.

## Next steps

<CardGroup cols={2}>
  <Card title="HTTP assertions" icon="list-check" href="/monitoring/http/assertions">
    Full list of HTTP assertion types.
  </Card>

  <Card title="Alerting guide" icon="bell" href="/guides/alerting">
    Route certificate warnings to specific channels.
  </Card>

  <Card title="Monitors guide" icon="signal" href="/guides/monitors">
    Configure all monitor types.
  </Card>
</CardGroup>
