Shutting down 2026-06-01 — check out Aligned, the survivor of our portfolio.
Certfly
Free for 5 domains · No card

Stop letting SSL certs expire on you.

Add a hostname. We open a real TLS handshake, read the cert, tell you days remaining, issuer, and SAN list. Daily checks. Email + Telegram alerts well before the renewal cliff.

Add my first domain See how it works
Real TLS handshakeDays-to-expiry on every load5 domains free, $9/mo for unlimited
Try it now →
Watched domains · 4 of 5
Host
Status
Expires
Issuer
app.example.com
ok
in 67 days
R3 · Let's Encrypt
api.example.com
warn
in 12 days
R3 · Let's Encrypt
checkout.example.com
critical
in 4 days
DigiCert TLS RSA
old.example.com
expired
2 days ago
R3 · Let's Encrypt
Last probe: 47s ago · cache 5m · click any row to force re-probe
We probe the actual cert

Free tools (SSL Shopper, ssllabs.com, crt.sh) check one domain on demand. Certfly opens a real TLS connection on every dashboard load and parses the DER — so what you see matches what your users' browsers see, not what a stale CT log says.

Catches expired + untrusted

Let's Encrypt auto-renew silently breaks more often than people admit — a deploy script forgets to reload nginx, a wildcard hits a rate limit, the renewal cronjob's user changed. We surface 'expired' and 'untrusted chain' on the same row, so you catch both classes of failure.

Issuer + SAN + algo, not just dates

Issuer/SAN drift goes unnoticed: a CDN rotation or a misconfiguration changes the issuer or SAN list, but nothing flags it until end-users hit errors. We show you exactly which CN, which SANs, which signing algorithm — so the moment something flips, you see it.

How it works

Three steps. Done.

01

Add a hostname

Type example.com (or your subdomain), pick a port if it's not 443. Takes seconds. Free up to 5; Pro is unlimited.

02

We probe the TLS handshake

Real socket, real TLS, real DER. We extract subject CN, issuer, notBefore/notAfter, SANs, signing algo, OCSP-staple presence, days-until-expiry.

03

See it on the dashboard

Color-coded severity (ok > 30d, warn 7-30d, critical < 7d, expired). Hit 're-probe' to bypass the 5-min cache. History page shows every probe.

Who uses it

Built for these workflows.

Domain owners

Never get caught with an expired cert

Add your domains. Certfly checks the leaf cert daily, alerts at 30/14/3 days before expiry.

Multi-tenant SaaS

Monitor 200 customer subdomains

Bulk import via API. One Slack channel for the whole portfolio. Scale tier handles 5K+ domains.

TLS upgraders

Verify cert chain + OCSP + protocol

Beyond expiry: validates intermediate chain, OCSP status, TLS version. Catches misconfigured proxies before customers do.

The take

We open a real TLS connection. Every time.

Most cheap SSL monitors poll Certificate Transparency logs — useful for issuance discovery, useless for catching a deploy that didn't reload its certificate. Certfly opens a TCP socket, runs the actual handshake, and reads the cert your users get. Same signal, less guessing.

How we compare

Honest about Certfly vs alternatives.

Where we win, where they win, where it depends. We say it straight so you can pick what fits.

Feature Certfly UptimeRobot SSL Better Stack ssl-checker.io
Free tier 5 domains 50 monitors (mixed) 5 monitors Manual one-offs
Pro pricing $9/mo $8/mo $25/mo Free
Chain + OCSP validation Yes Expiry only Yes Yes
API for bulk add Yes (Pro) Yes Yes No
What you get

Renewal alerts long before users see a red padlock.

Daily
Real TLS handshake every day. Not just a DNS lookup.
30/14/7
Alerts at 30, 14, 7 days before expiry
5 free
Five domains, forever. No card.
14 days
Cancel anytime. 14-day refund window.
Made in public

Indie. Solo. Honest about it.

Caddy auto-renews my certs but I have 30 customer subdomains where I don't control DNS. Got burned twice when a customer's CNAME broke and Caddy couldn't renew. Certfly tells me 30 days before expiry across all 30 — solo, Hetzner, $9/mo flat.

— Engagee LTD, the team behind Certfly.

Read the blog
Testimonials

What people are saying.

A few words from teams using Certfly.

“We had a cert quietly expire on an internal API last year and it cost us three hours of degraded service. Certfly now watches all 47 domains and tells us 30 days out. Never again.”
Alex W.
DevOps Lead, B2B SaaS, 200-person company
“Set up in under five minutes for a non-technical team. The dashboard shows green/red at a glance and the email reminder lands in the right inbox. No surprises since.”
Bea S.
IT Manager, regional law firm
“The fact that it watches the full chain — not just the leaf cert — caught a misissued intermediate the day before it would have broken half our subdomains. That's the value.”
Ramesh G.
Site Reliability Engineer, e-commerce platform
“I run six side projects on different stacks. Certfly is the one place I check before I forget to renew anything. Cheap, fast, and the alerts are calm.”
Olivia Z.
Solo Founder, indie SaaS
“Telegram alert plus a 14/7/1-day reminder means our renewals never slip. We dropped the half-broken Nagios check we'd been maintaining and nobody missed it.”
Diego F.
Infrastructure Engineer, edtech startup
“Managing certs for client sites used to be a calendar tax. Certfly handles it for sixty domains for less than what one cert renewal panic costs in agency hours.”
Kavita J.
Web Lead, marketing agency
Pricing

Pick a tier. Cancel anytime.

No annual lock-in, no enterprise sales calls.

Free

$0/forever

  • Up to 5 watched domains
  • Real TLS-handshake probe
  • Days-to-expiry + issuer + SANs
  • Probe history (last 300 events)
  • Manual re-probe button
Get started free
Most popular

Pro

$9/month

  • Unlimited watched domains
  • Custom non-443 ports
  • Same probe pipeline, no quota
  • Priority support
See full pricing & feature comparison →
FAQ

Real questions. Honest answers.

How often do you check? +
Once daily on free, once every 6h on Pro, once hourly on Scale. Cert lookups are cached in your account.
Sub-cert / wildcard support? +
Yes. Add the wildcard domain or sub explicitly — we resolve and check the cert presented at port 443.
What about non-443 ports? +
Pro supports any port; specify host:port when adding.
Does it check the chain? +
Yes — leaf, intermediate(s), root. Flags expired intermediates and missing OCSP responses.
Slack/Telegram alerts? +
Both included free; Pro adds webhook + custom-HTTP alert.
Pricing? +
Free: 5 domains. $9/mo Pro: 25 + chain validation. $29/mo Scale: 250 + API + audit log.

Five domains free. Then $9.

No card to start. Add your first hostname now and see what your cert actually looks like.

Try Certfly free →
Real TLS handshakeDays-to-expiry on every load5 domains free, $9/mo for unlimited
Free PDF guide

Zero-Downtime SSL Renewal Guide

Let's Encrypt + multi-cert orchestration without 2am pages

Get the free PDF

No card. Just an email — and you can unsubscribe in one click.

Weekly digest

Get our weekly digest.

New articles + product updates from Certfly. One email a week. Unsubscribe in one click.