SSL certificate monitoring tools, honestly compared
By Nick Phillips, Founder
Disclosure up front: we make one of the tools on this list. We're going to try to be honest about where it's the right choice and where it isn't, because the alternative — pretending we're the answer for everyone — is the kind of thing that makes "comparison posts" useless. There are real cases where another tool, or a homegrown shell script, is the better answer.
Here's the lay of the land.
What you're actually trying to buy
Before the table: the actual job of an SSL cert monitor is to tell you, before the cert expires, that the cert is going to expire — and to do it in a way you'll see. Everything else is incidental. The differentiators that matter:
- Does it run from outside your infrastructure? Internal cron jobs are the wrong tool because they share fate with the server they're supposed to be watching.
- Does the alert reach you reliably? Email is fine for 30-day warnings. SMS or push for "expiring tomorrow" is better.
- Does it actually check the cert, or just the uptime? Surprisingly many "uptime monitors" only check whether the page loads — they don't read
notAfterand warn you ahead of time. - Can you afford to keep it running? A $50/month tool for a side project is the wrong price point; a $5/month tool for a 500-domain enterprise fleet is the wrong price point in the other direction.
With that as the lens, here's the comparison.
The table
| Tool | Price | Reads notAfter | External | Best for |
|---|---|---|---|---|
| Otterwatch | Free | Yes, daily | Yes | Indie / small-team sites that want cert-first monitoring without an "uptime monitor" feature bloat |
| UptimeRobot | Free for 50 monitors | Yes (added 2021) | Yes | Hobby projects that need uptime + cert in one place |
| BetterStack (Better Uptime) | $24/mo entry | Yes | Yes | Teams that want incident management + status page + cert monitoring as one product |
| StatusCake | Free tier + paid | Yes | Yes | Same niche as UptimeRobot, slightly more polish |
| Datadog Synthetics | $5/test/mo + Datadog fees | Yes | Yes | Companies already paying for Datadog APM/logs |
| Pingdom | $15/mo entry | Yes | Yes | Established enterprises with existing Pingdom contracts |
| Homegrown cron + openssl | Free (your time) | If you script it | Only if you host it elsewhere | One-domain shops, or anyone allergic to SaaS |
The rest of the post is the longer take on each.
Otterwatch
What we built. Daily check from outside your infrastructure, emails at 30/7/expiry, otter-themed copy that takes itself slightly less seriously than the alternatives.
Where it's the right answer: you have between 1 and 25 sites, you don't want a generic "uptime monitor" product where cert checks are a tab in a settings page, and you'd like the alerts to be calm and on-time instead of marketing-laden. We deliberately don't sell status pages, on-call rotations, or incident response. Cert monitoring is the entire product.
Where it isn't: you need PagerDuty integration, SMS escalation, or a status page out of the box. We don't do any of that. We also don't yet do SLA-style reporting for compliance — if your boss needs "99.9% uptime" documents quarterly, you want one of the bigger tools.
UptimeRobot
The default answer for "I just need free uptime monitoring." 50 monitors free, 5-minute interval on the free tier, cert expiry warning included since around 2021.
Where it's the right answer: hobby project, low-stakes, you already use it for uptime and adding cert monitoring is a checkbox. The free tier really is free, and the email notifications are reliable.
Where it isn't: the free tier emails are easy to ignore (and easy to filter into spam if you ever lose the senders' domain reputation). The cert warning window isn't very configurable — you get an alert at 30 days, and that's about it. If you want a 7-day reminder as well, you'll be writing it yourself.
BetterStack (Better Uptime)
The fastest-growing player in this space. They've put a lot of effort into design and feel, and the product covers uptime + status page + on-call all in one. Cert monitoring is a small feature inside a larger product.
Where it's the right answer: you're a team of 3–20, you don't have an existing incident management tool, and you want one product to cover everything from "did the page load" to "who's on call this weekend." For that bundle, BetterStack is the best modern option.
Where it isn't: you only want cert monitoring. The pricing scales with monitors and you'll be paying for a lot of feature surface you don't use. The cert-specific alerting is fine but not differentiated; for the same money you could buy a more focused tool and use the rest of the budget on something else.
StatusCake
A close-enough competitor to UptimeRobot, with a slightly more polished interface and a slightly more aggressive paid tier. Cert monitoring works similarly.
Where it's the right answer: you've used it before and like it, or the UptimeRobot interface specifically annoys you. Functionally there is not a wide gap.
Where it isn't: you don't already have a preference. UptimeRobot's free tier is more generous; if you're shopping cold, start there.
Datadog Synthetics
The serious enterprise answer. Synthetic checks run from Datadog's global probe network, including TLS handshake details, certificate expiration, cipher suites, and protocol versions. Alerts route through Datadog's existing monitor + on-call infrastructure.
Where it's the right answer: you already pay Datadog for APM, logs, or metrics, and adding Synthetics means everything goes through the same dashboards and alert channels. The depth of cert detail (issuer, chain validation, OCSP) is the best on this list.
Where it isn't: you don't already pay Datadog. The pricing is "if you're asking, it's not for you" — $5 per synthetic per month adds up fast across a fleet, and the base Datadog seat costs aren't trivial either.
Pingdom
Solid, established, owned by SolarWinds. Cert monitoring is a real feature. The interface looks like 2014 and that is not always a bad thing.
Where it's the right answer: you already have a Pingdom contract, especially through a parent organization that procures it centrally. The tool isn't broken; the question is whether you'd choose it greenfield, and the answer is usually no.
Where it isn't: greenfield. UptimeRobot covers the same ground free, BetterStack covers it nicer paid, and Pingdom's value proposition is mostly inertia.
Homegrown cron + openssl
The honest comparison point for any SaaS tool in this space. A daily cron that pipes openssl s_client into openssl x509 -enddate and emails you if the date is close is genuinely free and genuinely works. We've written that script in the renewal-failures post.
Where it's the right answer: one or two domains, you have a server somewhere that isn't the one being monitored, you don't mind that "you" are now the SLA. For an indie operator who already runs Linux boxes, this is genuinely good enough.
Where it isn't: any of the following is true — (a) you have more than a handful of domains and the per-host config will go stale, (b) the monitoring box is the same box being monitored (it shares fate with the thing it's watching), (c) you don't notice when your monitoring breaks, which is the same failure mode as not noticing when the cert expires. The whole point of using a tool is that someone else is paid to make sure the monitor itself stays alive.
Picking one
If you want a flowchart:
- One or two sites, technical operator? Homegrown cron. Or Otterwatch, because we're free and it's about a minute to set up vs. fifteen minutes to write the script.
- Up to ~25 sites, want cert monitoring without bundled-product feature creep? Otterwatch.
- Hobby project, just need free uptime + cert? UptimeRobot.
- 3–20 person team, want incident management + status page + monitoring as one bundle? BetterStack.
- Already pay Datadog? Datadog Synthetics.
- Already have Pingdom? Pingdom. (If not: don't start.)
There's no universally right answer. There's a right answer for your shape of problem, and the wrong answer is almost always "I'll remember." Why expiration matters is the post for anyone whose answer is still "I'll remember."
If you want to take Otterwatch for a test drive, the free checker is the no-signup tour, and the signup page gets you daily monitoring with email alerts in about a minute.
Catch the next cert expiry before your users do.
Otterwatch checks your SSL certificates daily and emails you 30 days before they expire. Five sites free.
Start watching →