Long-time user of Let's Encrypt (since the early beta days).
Like many of you, I manage a lot of certs across different providers. I found that generic uptime monitors often missed intermediate chain expirations or didn't alert fast enough when a renewal cron job silently failed.
I built a dedicated tool called SSLGuard (https://theopsmechanic.com) to solve this for my own infrastructure.
What it does:
Checks validity, revocation, and chain issues.
Written in Rust (very low resource usage).
Sends alerts to Slack/Email/Webhooks.
Free tier covers 3 domains forever (intended for personal blogs/homelabs).
I also spun up a public checker (https://www.sslguard.net/check/) that requires no signup. You can just punch in a domain to see the full chain details and expiration status immediately.
I'd love to get some feedback from this community on the check logic. If the maintainers think it's stable enough, I’d be honored to be considered for the "Monitoring Service Options" documentation page alongside UptimeRobot and the others.
Used the free check on a site I run and got a "B" grade which made me immediately look for some sort explanation on how the grade is calculated, but couldn't find anything other than:
Security grade (A-F) based on best practices
Is there a detailed scoring explanation if you sign up? If so, you might mention that somewhere or link to a sign up page from the grade icon.
Without a scoring explanation, a letter grade like that is functionally useless because it is not actionable by the person hosting the site.
Not sure what sort of checks you're doing behind the scenes, but it's delightfully speedy compared to something like ssllabs.com.
Thanks so much for this feedback - you're absolutely right! A letter grade without explanation isn't actionable at all.
I've just updated the SSL checker to address this:
What's new:
Immediate explanation appears right below your grade showing exactly what it means and what action to take
Full grading scale displayed so you can see where you stand
FAQ section explaining that the grade is purely based on days until expiration, not security vulnerabilities
About your "B" grade: This simply means your certificate has 30-90 days remaining before expiration—it's perfectly valid and secure. We recommend planning to renew certificates when they hit the 30-60 day mark to avoid last-minute issues.
The grade is really just a quick visual indicator of your renewal timeline:
Excellent catch! You're absolutely right - I just pushed a fix for this.
The grading now automatically detects short-lived certificates (≤90 days total validity, like Let's Encrypt) and uses percentage-based grading instead of absolute days. So a Let's Encrypt cert with 60 days remaining (67% of its 90-day lifetime) now correctly gets a B grade instead of an F.
Traditional long-lived certificates still use the absolute day thresholds. The explanation on the results page now shows both grading methods.
Try it again and let me know if it makes more sense now!
If the letter grade is only based on cert lifetime, I'd probably just lose the letter grade entirely and display the actual percentage lifetime remaining maybe with an associated color indicator.
The letter grade implies a more complicated grading scheme like other SSL checker sites use by testing things like TLS versions, key size, algorithms, etc. It's totally fine to only care about lifetime in this check, but distilling it down to a letter grade just confuses things with similar sites.
I agree with @rmbolger about just showing the lifetime remaining rather than factoring that to a grade.
Further, at least for Let's Encrypt certs, base renewal "health" on what Let's Encrypt already recommends. For short-lived certs (<7 days lifetime) LE recommend renewing when less than half its life remains. And, for all others to renew after 2/3 of its life has passed.
You could switch away from letter grades and use a color scheme. Various possibilities but something like "green" (good) for the period before recommended renewal. Switch to "yellow" (warning) after that until say 10% life remains and "red" danger after that. Could do a different color or symbol for an expired cert.
Note that LE will be offering 45 day life certs later this year for certain "profiles" so I wouldn't fixate anything on 90 days as long lived. There is a distinct different between short and the rest though.
Mike,
Great suggestion! I've actually just implemented exactly what you described - a color-coded system (green/blue/yellow/orange/red) instead of letter grades, with the colors transitioning based on recommended renewal periods.
Also, excellent point about the 45-day Let's Encrypt certs! I've updated the threshold from 90 to 180 days to future-proof it. Now any certificate with ≤180 days total validity is treated as "short-lived" (shows percentage), and anything longer shows days remaining.
This should handle current 90-day certs, future 45-day certs, and maintain the clear distinction between short-lived automated certs and traditional long-lived ones.
I think that is confusing. The "short-lived" cert is a specific term for a certain duration of cert that does not require revocation info like CRL or OCSP. It is an industry specific term.
Hmm. Not sure that's any clearer. Not sure there is a good way to make that distinction.
Even for just LE people can manually renew them even though it is highly discouraged.
But, beyond that Google Trust Services supports notBefore and notAfter dates when requesting certs with ACME. You can automatically get and renew them for any duration up to the allowed industry limit. ZeroSSL may support that too. LE's lifetimes are set by the "profile" used.
Even the commercial/paid TLS certificate providers are going to be switching to shorter certificate lifespans soon (just you pay for the longer period) so I would suggest reconsidering this grading.
For instance, if I buy a 1-year positiveSSL certificate after this date, the actual certificate issuance is for 90 45 days, its just autorenewed through an ACME system just like LE uses through for the 1, 2, or 3 year period I purchase.
I want to thank you all for your time and feedback.
If you want to kick the tires on some related tooling, I've also been building out certradar.net — a free suite of TLS security tools. Would love your feedback if you get a chance to try it.
Looking at your original tool I think saying "Plan Renewal Soon" with 66% life left is bad advice
Hopefully with your alerting tool you are not suggesting to take action this early
Renewing via ACME with just 1/3 of life remaining is not unusual among Certificate Authorities. Following that rather than inventing your own terminology would be clearer. Note LE recommends after 1/2 of life left for certs with life durations less than 10 days so that's a fair divergence.
I chopped it off but the google cert shown has a life of 83 days. As I noted earlier, GTS supports requesting certs of various lengths up to industry max
