Automated monitoring, timely alerts, and comprehensive certificate management to keep your websites secure and your users protected.
Get Started | Learn About Forward Email
Set up continuous monitoring of all your SSL certificates across multiple domains and servers with minimal configuration.
Receive timely notifications before certificates expire, with customizable warning thresholds to prevent service disruptions.
Get comprehensive reports on certificate status, expiration dates, and potential security issues across your infrastructure.
Verify certificate validity, encryption strength, and protocol compliance to maintain the highest security standards.
Expired SSL certificates cause browser warnings and block access to your websites, resulting in lost traffic and revenue. According to a GlobalSign study, 65% of organizations have experienced outages due to expired certificates.
Security warnings damage your brand reputation and erode customer confidence. Research by SSL.com shows that 84% of users would abandon a purchase if they saw a security warning.
Many regulatory frameworks like PCI DSS, HIPAA, and GDPR require proper certificate management. Automated monitoring helps maintain compliance and avoid penalties.
Manual certificate tracking is time-consuming and error-prone. Automated monitoring saves IT staff time and reduces the risk of human error.
Below is a complete, production-ready Bash script for monitoring SSL certificate expiration dates and sending alerts via Forward Email. This script can be easily customized to fit your specific security requirements.
#!/bin/bash
# SSL Certificate Monitor Script
# This script monitors SSL certificate expiration dates and sends alerts via Forward Email
# Usage: Place in /usr/local/bin/ and add to crontab to run daily
# Example crontab entry: 0 8 * * * /usr/local/bin/ssl_monitor.sh
# Configuration
EMAIL_TO="[email protected]"
EMAIL_FROM="[email protected]"
FORWARD_EMAIL_API_KEY="your_api_key_here" # Get from https://forwardemail.net/my-account/security
DOMAINS_FILE="/etc/ssl_monitor/domains.txt" # One domain per line
WARNING_DAYS=30 # Send warning when certificate expires in less than this many days
CRITICAL_DAYS=7 # Send critical alert when certificate expires in less than this many days
LOG_FILE="/var/log/ssl_monitor.log"
# Create config directory and domains file if they don't exist
mkdir -p /etc/ssl_monitor
if [ ! -f "$DOMAINS_FILE" ]; then
echo "# Add domains to monitor, one per line" > "$DOMAINS_FILE"
echo "example.com" >> "$DOMAINS_FILE"
echo "mail.example.com" >> "$DOMAINS_FILE"
fi
# Function to send email via Forward Email HTTP API
send_email_api() {
local subject="$1"
local body="$2"
curl -X POST "https://api.forwardemail.net/v1/emails" \
-H "Content-Type: application/json" \
-u "$FORWARD_EMAIL_API_KEY:" \
-d '{
"from": "'"$EMAIL_FROM"'",
"to": "'"$EMAIL_TO"'",
"subject": "'"$subject"'",
"html": "'"$body"'",
"text": "'"$body"'"
}'
echo "Alert email sent via API at $(date)" >> "$LOG_FILE"
}
# Function to send email via sendmail (SMTP)
send_email_smtp() {
local subject="$1"
local body="$2"
echo -e "Subject: $subject\nFrom: $EMAIL_FROM\nTo: $EMAIL_TO\nContent-Type: text/html\n\n$body" | \
sendmail -t
echo "Alert email sent via SMTP at $(date)" >> "$LOG_FILE"
}
# Function to check SSL certificate expiration
check_certificate() {
local domain="$1"
local expiry_date=""
local days_left=0
local status="OK"
local error_message=""
# Get certificate expiration date
expiry_date=$(echo | openssl s_client -servername "$domain" -connect "$domain":443 2>/dev/null | \
openssl x509 -noout -enddate 2>/dev/null | \
sed -e 's/notAfter=//')
if [ -z "$expiry_date" ]; then
status="ERROR"
error_message="Could not retrieve certificate for $domain"
days_left=0
else
# Convert expiry date to seconds since epoch
expiry_seconds=$(date -d "$expiry_date" +%s)
current_seconds=$(date +%s)
# Calculate days left
seconds_left=$((expiry_seconds - current_seconds))
days_left=$((seconds_left / 86400))
# Determine status
if [ $days_left -lt $CRITICAL_DAYS ]; then
status="CRITICAL"
elif [ $days_left -lt $WARNING_DAYS ]; then
status="WARNING"
fi
fi
# Return results
echo "$domain|$expiry_date|$days_left|$status|$error_message"
}
# Initialize HTML report
HTML_REPORT="<h2>SSL Certificate Monitoring Report</h2>
<p><strong>Date:</strong> $(date)</p>
<p><strong>Server:</strong> $(hostname)</p>
<table border='1' cellpadding='5' cellspacing='0' style='border-collapse: collapse;'>
<tr style='background-color: #f2f2f2;'>
<th>Domain</th>
<th>Expiry Date</th>
<th>Days Left</th>
<th>Status</th>
</tr>"
# Check each domain
ALERT_NEEDED=false
while read -r domain || [ -n "$domain" ]; do
# Skip comments and empty lines
[[ "$domain" =~ ^#.*$ || -z "$domain" ]] && continue
echo "Checking certificate for $domain..." >> "$LOG_FILE"
# Get certificate info
cert_info=$(check_certificate "$domain")
# Parse results
domain_name=$(echo "$cert_info" | cut -d'|' -f1)
expiry_date=$(echo "$cert_info" | cut -d'|' -f2)
days_left=$(echo "$cert_info" | cut -d'|' -f3)
status=$(echo "$cert_info" | cut -d'|' -f4)
error_message=$(echo "$cert_info" | cut -d'|' -f5)
# Set row color based on status
row_color="#ffffff" # Default white
if [ "$status" = "WARNING" ]; then
row_color="#fff3cd" # Light yellow
ALERT_NEEDED=true
elif [ "$status" = "CRITICAL" ]; then
row_color="#f8d7da" # Light red
ALERT_NEEDED=true
elif [ "$status" = "ERROR" ]; then
row_color="#f8d7da" # Light red
ALERT_NEEDED=true
fi
# Add to HTML report
HTML_REPORT+="<tr style='background-color: $row_color;'>
<td>$domain_name</td>
<td>$expiry_date</td>
<td>$days_left</td>
<td>$status</td>
</tr>"
# Log results
echo "$domain: $status - Expires: $expiry_date ($days_left days left)" >> "$LOG_FILE"
if [ -n "$error_message" ]; then
echo " Error: $error_message" >> "$LOG_FILE"
fi
done < "$DOMAINS_FILE"
# Complete HTML report
HTML_REPORT+="</table>
<p style='margin-top: 20px;'><em>This is an automated alert from your SSL certificate monitoring system.</em></p>
<p><strong>Note:</strong> It is recommended to renew certificates at least 14 days before expiration.</p>
<p><strong>Renewal Instructions:</strong></p>
<ol>
<li>For Let's Encrypt certificates: Run <code>certbot renew</code></li>
<li>For other certificates: Contact your certificate provider or generate a new CSR</li>
</ol>"
# Send alert if needed
if [ "$ALERT_NEEDED" = true ]; then
EMAIL_SUBJECT="SSL Certificate Alert: $(hostname) - $(date +%Y-%m-%d)"
# Uncomment one of these methods based on your preference:
send_email_api "$EMAIL_SUBJECT" "$HTML_REPORT"
# send_email_smtp "$EMAIL_SUBJECT" "$HTML_REPORT"
echo "Alert sent due to expiring certificates" >> "$LOG_FILE"
else
echo "No alerts needed, all certificates are valid" >> "$LOG_FILE"
fi
exit 0-
Create the Script File
sudo nano /usr/local/bin/ssl_monitor.sh
Copy and paste the script above, then save the file.
-
Make the Script Executable
sudo chmod +x /usr/local/bin/ssl_monitor.sh
-
Configure the Script Update the email addresses and API key in the script configuration section.
-
Create Domains List
sudo mkdir -p /etc/ssl_monitor sudo nano /etc/ssl_monitor/domains.txt
Add your domains, one per line.
-
Set Up Scheduled Monitoring
sudo crontab -e
Add the following line to run the script daily at 8 AM:
0 8 * * * /usr/local/bin/ssl_monitor.sh -
Test the Script
sudo /usr/local/bin/ssl_monitor.sh
Maintain a central inventory of all certificates, their locations, and expiration dates.
Establish a standardized process for certificate renewal to ensure consistency and reduce errors.
Where possible, implement automated renewal using services like Let's Encrypt and certbot.
Monitor your Certificate Authority for security issues or policy changes that might affect your certificates.
Conduct regular audits of your SSL infrastructure to identify unauthorized or forgotten certificates.
Access the full SSL monitoring script and additional security tools on our GitHub repository.
Comprehensive documentation on SSL certificate management best practices is available in our knowledge base.
Join our community forum to discuss SSL security, share experiences, and get help with implementation.
Start monitoring your SSL certificates today with our easy-to-implement solution.
Get Started with Forward Email | View Documentation
- GlobalSign. (2024). SSL Certificate Expiration Consequences. Retrieved April 5, 2025, from https://www.globalsign.com/en/blog/ssl-certificate-expiration-consequences
- SSL.com. (2024). SSL Certificate Management Best Practices. Retrieved April 5, 2025, from https://www.ssl.com/article/ssl-certificate-management-best-practices/
- Let's Encrypt. (2025). Certificate Automation Guide. Retrieved April 5, 2025, from https://letsencrypt.org/docs/
- Forward Email. (2025). Email API Documentation. Retrieved April 5, 2025, from https://forwardemail.net/email-api