← All help articles

SSL / TLS monitoring — what to expect

The SSL/TLS module fetches your site's certificate chain, validates it, and grades the configuration on a Vanta-style A/B/F scale.

What we check

  • Certificate validity period — alerts at 30, 14, and 3 days before expiry.
  • Chain integrity — every intermediate must be present and valid.
  • Protocol — TLS 1.2 minimum, TLS 1.3 preferred.
  • Cipher suite — AEAD (AES-GCM, ChaCha20-Poly1305) preferred; legacy ciphers downgraded to grade B.
  • Key strength — RSA ≥ 2048 or ECDSA ≥ 256.
  • HSTSStrict-Transport-Security header present with max-age ≥ 31536000.
  • Certificate Transparency — every issued certificate appears in CT logs (used by our brand-protection module too).

Grading

| Grade | Criteria | |-------|----------| | A | TLS 1.3, RSA ≥ 2048 / ECDSA ≥ 256, AEAD cipher, HSTS preload-eligible. | | B | TLS 1.2 with strong cipher; HSTS missing or max-age < 1y. | | F | TLS ≤ 1.1, weak cipher, self-signed, expired, or chain-broken. |

What to do on expiry warnings

Most SSL findings come with a one-click renewal URL specific to your hosting provider (or a certbot renew command for self-managed systems). Renew, then click "Re-scan" — the finding closes automatically.

Frequency

Daily. The module is fast and cheap, so we run it on every recon pass.

SSL / TLS monitoring — what to expect — Help — NoDowntimeShield · NoDowntimeShield