Stop letting SSL certs expire on you.
Add a hostname. We open a real TLS handshake, read the cert, and tell you exactly how many days are left, who issued it, and what's on the SAN list. Re-probe any time. Free for 5 domains.
Free tools (SSL Shopper, ssllabs.com, crt.sh) check one domain on demand. Certfly opens a real TLS connection on every dashboard load and parses the DER — so what you see matches what your users' browsers see, not what a stale CT log says.
Let's Encrypt auto-renew silently breaks more often than people admit — a deploy script forgets to reload nginx, a wildcard hits a rate limit, the renewal cronjob's user changed. We surface 'expired' and 'untrusted chain' on the same row, so you catch both classes of failure.
Issuer/SAN drift goes unnoticed: a CDN rotation or a misconfiguration changes the issuer or SAN list, but nothing flags it until end-users hit errors. We show you exactly which CN, which SANs, which signing algorithm — so the moment something flips, you see it.
Three steps. Done.
Add a hostname
Type example.com (or your subdomain), pick a port if it's not 443. Takes seconds. Free up to 5; Pro is unlimited.
We probe the TLS handshake
Real socket, real TLS, real DER. We extract subject CN, issuer, notBefore/notAfter, SANs, signing algo, OCSP-staple presence, days-until-expiry.
See it on the dashboard
Color-coded severity (ok > 30d, warn 7-30d, critical < 7d, expired). Hit 're-probe' to bypass the 5-min cache. History page shows every probe.
We open a real TLS connection. Every time.
Most cheap SSL monitors poll Certificate Transparency logs — useful for issuance discovery, useless for catching a deploy that didn't reload its certificate. Certfly opens a TCP socket, runs the actual handshake, and reads the cert your users get. Same signal, less guessing.
Free or $9/mo. That's it.
No contracts. Cancel anytime.
Free
$0/forever
- ✓Up to 5 watched domains
- ✓Real TLS-handshake probe
- ✓Days-to-expiry + issuer + SANs
- ✓Probe history (last 300 events)
- ✓Manual re-probe button
Pro
$9/month
- ✓Unlimited watched domains
- ✓Custom non-443 ports
- ✓Same probe pipeline, no quota
- ✓Priority support
Quick answers.
How is this different from ssllabs.com? +
SSL Labs is a one-shot deep scan — great for hardening, slow, and you have to remember to run it. Certfly keeps your hostnames in a list, re-probes on every dashboard load (5-min cache), and shows you all of them at once. It's the watchlist, not the audit.
What does 'untrusted chain' mean? +
We probe twice: once with verification disabled (so we can read the cert even if it's expired or self-signed), and once with the default trust store. If the second handshake fails, we mark the row 'untrusted' — typically means an expired cert, missing intermediate, hostname mismatch, or self-signed.
Why a 5-minute cache? +
Some servers rate-limit incoming TLS handshakes. The cache means a dashboard reload doesn't probe each domain again every page view. Hit 're-probe' on a row to force-refresh that one host.
Will my IP get flagged? +
No — we open a normal TLS handshake, no application payload, no anomalous patterns. It's identical to a single browser visit.
Can I monitor non-443 ports? +
Yes. Pick the port when you add the domain. Useful for IMAPS (993), SMTPS (465), MQTT (8883), Postgres SSL (5432), or anything else with a TLS endpoint.
Is there email alerting? +
Not yet — v1 is dashboard-driven. Email alerts and a background scheduler are coming next; subscribe and we'll roll them in.
Five domains free. Then $9.
No card to start. Add your first hostname now and see what your cert actually looks like.