📜 Certwatch
SSL certificate and domain expiry monitoring you own forever.
Uptime-tool SSL add-ons and SSLMate-style monitors run $10 to $20 a month, roughly $360 to $720 over three years for 50 domains. One expired cert is a 2am page either way. Certwatch does a real TLS handshake against every site you care about on a schedule, and alerts you by email or webhook at 30, 14, 7 and 1 days before a cert or the domain itself expires. $24, once.
Certwatch screenshot is being captured — the app is shipped and real.
Features
Traffic-light dashboard
Green over 30 days, yellow at 30 or under, red under 7 days, or for expired, invalid or unreachable hosts.
Real TLS handshake checks
Node tls checks expiry, issuer, SAN list, chain validity, self-signed certs and weak keys (RSA under 2048, EC under 224).
Domain WHOIS expiry
Best-effort registry lookups so the domain registration itself does not lapse either.
Threshold alerts
Configurable days (default 30, 14, 7, 1) via webhook and SMTP email, with exactly one alert per threshold per certificate.
Chain viewer
See the full presented certificate chain per check in the UI.
Check history
Every check is stored, and unreachable hosts are recorded with the error.
Certwatch vs SSLMate-style SSL monitors
SSLMate-style SSL monitors at $10–20/mo runs roughly $180/year — $360 over two years. Certwatch is $24, once.
| Certwatch | SSLMate-style SSL monitors | |
|---|---|---|
| Price | $24 once | $10–20/mo |
| 3 years, 50 domains | $24 | $360–720 |
| Handshake checks (expiry, chain, keys) | Yes | Yes |
| Domain (WHOIS) expiry | Yes, best-effort | Sometimes |
| Email + webhook alerts | Yes | Yes |
| Data on your server | Yes | No |
| Domain limits | None | Usually tiered |
| Source you can read | Yes, MIT | No |
Two months of a paid SSL monitor covers Certwatch, and one cert it saves from expiring covers the 2am page it would have cost you.
Three steps, no subscription
Buy once on Whop
One payment of $24 gets you the packaged 1-click installer, or clone the MIT source at github.com/bensblueprints/ssl-cert-monitor and run it yourself for free.
Deploy on your own server
docker compose up on a $5 VPS that can reach your hosts, or run the Electron desktop build, adding SMTP credentials to .env if you want email alerts.
Add your domains
Point it at the sites you care about; it runs real TLS handshakes on a schedule and pages you before anything expires.
Honest answers
Is it really free on GitHub?
Yes. Certwatch is MIT-licensed at github.com/bensblueprints/ssl-cert-monitor and always will be. The $24 buys the packaged 1-click installer; building from source is free.
Where does my monitoring data live?
In a SQLite database on your own server. The checker connects directly to your hosts, so run it from a box that can reach them, and nothing goes to any third-party API.
How reliable is the domain-expiry check?
Certificate checks are the reliable signal. WHOIS domain expiry is best-effort: some TLDs publish no expiry and some rate-limit, so treat it as a bonus rather than the primary alarm.
Is this a subscription in disguise?
No. $24 once, no renewal, no per-domain tiering, no license server. Webhooks work with zero config; deploy it and it keeps watching your certs.
Own Certwatch forever
$24 once. Deploy on your own server — your data never leaves it. No renewal, no account with us, no meter. Or build it yourself from the MIT source — it's the same app.