TLS certificate renewal monitoring
Know your certs renewed —
before they expire.
Expiry monitors only tell you once it's already too late. Lapseguard watches the renewal itself — answering “did the cert renew when it should have?” — and pages someone until it's confirmed handled.
Expiry alerts fire too late
A 30-days-to-expiry alert tells you nothing about whether automation is healthy. By the time the date is close, the renewal that should have happened weeks ago has already silently failed. Lapseguard computes when each cert should renew and opens an incident the moment that deadline is breached.
Two independent signals, one confirmation
Endpoint prober
Probes every hostname:port on a schedule, reading the live cert's
serial and expiry straight off the TLS handshake.
CT log poller
Watches Certificate Transparency logs (crt.sh) for newly issued certs — catching a renewal even before it's deployed to the endpoint.
Dual-signal resolve
An incident only auto-resolves when both signals agree the right cert is live — so “issued but not deployed” never slips through as handled.
Built to page someone until it's fixed
Renewal expectations
Computed deadlines per target — declared, learned, or cold-start — not just a raw expiry date.
Incident state machine
Breaches open incidents you can acknowledge or snooze, with auto-resolve on dual-signal confirmation.
Escalation that doesn't stop
Steps through your on-call until someone confirms the renewal is handled — no silent drops.
Notify anywhere
Slack, email, SMS, and PagerDuty — wired in and ready when you add credentials.
Start monitoring in minutes
Add a hostname, set a renewal expectation, and let Lapseguard watch the rest.
Create your account