URL Monitors¶
Overview¶
URL Monitors allow CertMS to actively monitor SSL/TLS certificates presented by websites and web services. By regularly scanning specified URLs, CertMS tracks certificate details, expiration dates, and changes — ensuring you're alerted before certificates expire or are modified unexpectedly.
URL monitoring is ideal for:
- Public-facing websites
- Internal web applications
- API endpoints
- Load balancers and reverse proxies
- Any HTTPS service requiring certificate monitoring
Prerequisites¶
Before configuring URL monitors, ensure you have:
- The URLs and ports you want to monitor
- Network connectivity between CertMS scanners and target URLs
- Firewall rules allowing outbound HTTPS connections from scanners
- Appropriate permissions in CertMS to create monitors
Creating a URL Monitor¶
Step 1: Access URL Monitor Management¶
- In the left-hand navigation menu, click URL Monitors
- Review existing monitors and their status
Step 2: Create a New Monitor¶
- Click Create New URL Monitor
- Complete the configuration fields:
| Field | Description | Example |
|---|---|---|
| Monitor Name | Descriptive name for this monitor (required) | Production API - api.example.com |
| URL | Full URL or hostname to monitor (required) | https://www.example.com |
| Port | TCP port for the SSL/TLS connection (default: 443) | 443, 8443 |
| Monitoring Frequency | How often CertMS scans this URL (required) | Daily, Weekly, Hourly |
| Assigned Scanner | Which scanner performs the monitoring | Local Scanner (default) |
| Start Date | When monitoring should begin | 2025-09-06 |
| Start Time | Time of day for the first scan | 09:00 AM |
| Enabled | Activate or deactivate monitoring | ✅ Checked by default |
Note: The Local Scanner is CertMS's built-in scanner and requires no additional configuration. If you have deployed custom scanners for internal networks or specific locations, you can select them here. See Scanner Selection below.
Step 3: Save the Monitor¶
- Review all settings for accuracy
- Click Create to save
- The monitor appears in your URL Monitors list and scanning begins on the configured schedule
Monitoring Frequency¶
Choose a frequency based on how critical the service is:
| Frequency | Best For | Example Use Case |
|---|---|---|
| Hourly | Critical production systems | High-availability sites, payment systems |
| Daily | Standard websites and applications | Most corporate websites and services |
| Weekly | Internal or lower-priority applications | Development and staging environments |
| Monthly | Low-priority monitoring | Archive sites, rarely-accessed services |
Best practice: Monitor production systems daily or more frequently to catch certificate issues quickly.
Scanner Selection¶
Local Scanner (Default)¶
- Built into CertMS — no additional setup required
- Suitable for publicly accessible URLs and internet-facing websites
Custom Scanners¶
If you've deployed additional scanners (see URL Scanner Deployment), you can assign them here:
- Internal network scanners — Monitor intranet sites and internal applications not reachable from the internet
- Geographic scanners — Test certificate presentation from different network locations
- DMZ scanners — Monitor services in demilitarized zones
Contact support@certms.com for assistance setting up additional scanners.
What Gets Monitored¶
Each scan retrieves and stores the following certificate information:
- Common Name (CN) and Subject Alternative Names (SANs)
- Issuer (Certificate Authority)
- Expiration date and validity period
- Certificate chain and intermediate certificates
- Key size and algorithm
- Serial number and fingerprint
Managing URL Monitors¶
View Monitor Status¶
Navigate to URL Monitors to see all monitors and their current status:
- ✅ Active — Monitor is running and scanning successfully
- ⏸️ Disabled — Monitor is not currently active
Edit a Monitor¶
- Click on any monitor in the list
- Modify settings as needed
- Save changes
Disable a Monitor¶
To pause monitoring without deleting the configuration:
- Open the URL Monitor
- Uncheck the Enabled checkbox
- Save changes
Delete a Monitor¶
- Select the monitor from the list
- Click Delete
- Confirm deletion
Best Practices¶
URL format
- Include the
https://prefix when possible - Be specific with subdomains —
www.example.comandexample.commay present different certificates - Verify the URL is accessible before creating the monitor
Port configuration
- Standard HTTPS uses port
443(the default) - Specify custom ports if your service uses non-standard ones (e.g.,
8443) - Create separate monitors for the same URL on different ports if needed
Naming and organization
- Use descriptive names that include environment and purpose (e.g.,
Production API - api.example.com) - Use consistent naming conventions to make the monitors list easy to scan
- Note why non-standard ports are used when applicable
Monitoring strategy
- Include all customer-facing URLs
- Monitor the load balancer endpoint — not just backend servers
- Balance scan frequency against system load for high-volume environments
Troubleshooting¶
Common Issues¶
| Issue | Likely Cause | Solution |
|---|---|---|
| Connection failed | URL unreachable or firewall blocking | Verify URL accessibility and outbound firewall rules from the scanner |
| Certificate not found | Non-HTTPS URL or wrong port | Confirm the URL uses HTTPS and the port is correct |
| Timeout errors | Slow response or network issues | Check network connectivity and server response time |
| Scanner offline | Assigned scanner not running | Verify scanner status in Settings → Scanners, or switch to Local Scanner |
Certificate Not Updating¶
If certificate information isn't refreshing as expected:
- Check the frequency — Confirm enough time has passed for the next scheduled scan
- Verify the monitor is enabled — Confirm the Enabled checkbox is checked
- Review scanner status — Navigate to Settings → Scanners and check the Last Check-in time
- Test connectivity manually — Open the URL in a browser from the scanner's network location to confirm it's reachable
Verification Steps¶
- Test the URL in a browser — Confirm the site loads and presents a certificate
- Inspect the certificate — Use the browser's padlock icon to verify the certificate details
- Confirm the port — Ensure the port in CertMS matches what the service is actually listening on
- Check firewall rules — Confirm outbound HTTPS is allowed from the scanner to the target
Need help? Contact support at support@certms.com for assistance with URL monitor configuration or connection troubleshooting.