Certificate & expiration monitoring

Every expired‑cert outage was already on your calendar.

You just couldn't see it. notAfter watches every TLS certificate, domain, and hardware end‑of‑life date across your estate — public and inside your firewall — and warns you weeks before renewal, in Slack, Teams, or email.

Free public‑cert report, no account. Internal certs need the lightweight agent — join below.

notafter · estate monitor 3 tracked · sample
api.acme.io
DigiCert TLS RSA · expires 2026‑07‑13
3days
vpn.internal.acmeinternal
Acme Issuing CA · only visible with the agent
21days
www.acme.io
Let's Encrypt R3 · auto‑renews
74days
next alert → #ops‑alerts 60 / 30 / 7 / 1 day
The blind spot

The certificate that takes you down is the one you can't see.

Free checkers ping public URLs. But the outages that page you at 2am come from the certs with no public DNS — internal apps, VPN concentrators, load balancers, phone systems, expired appliance certs on the LAN. notAfter runs a tiny read‑only agent inside your network, so those are covered too.

Public‑URL checkers

Only what the internet can reach

  • Public websites with a valid DNS name
  • Blind to internal PKI, VPNs, appliances
  • Miss the mail, phone & app‑server certs
  • Certs only — nothing on hardware EOL
notAfter

Everything, inside and out

  • Public certs — paste a list, done in seconds
  • Internal certs via a read‑only agent
  • Domain registration & DNS expiry
  • Hardware EOL/EOS & support contracts
Coverage

One deadline board for everything that expires.

Certificates are the wedge. The real win is that nothing with a renewal date gets to surprise you again.

TLS / SSL

Certificates

Public and internal. Expiry, issuer, chain, SANs — with the exact days remaining.

Domains

Registrations & DNS

Domain registration and DNS expiry, so a lapsed renewal never drops your name.

Hardware

EOL / EOS

End‑of‑life and end‑of‑sale for switches, servers, and firewalls — matched from a scan.

Contracts

Support & warranty

SmartNet, ProSupport, and vendor contracts, imported straight from your spreadsheet.

How it works

Live in five minutes. Quiet until it matters.

Your estate
Public certs & domains
Internal certs · via agent
notAfter

Re-checks everything on a schedule and ranks it by days to expiry — no noise until something's actually close.

You're warned
Slack · Teams · Email
60 / 30 / 7 / 1 day out
STEP 1

Connect

Paste your public domains for an instant report. Drop the read‑only agent on any box to reach what's inside the firewall.

STEP 2

We watch

Every certificate, domain, and lifecycle date is re‑checked automatically and ranked by how close it is to expiry.

STEP 3

You get warned

Alerts fire at 60, 30, 7, and 1 day out — to Slack, Teams, or email — so renewal happens on your schedule, not at 2am.

SlackMicrosoft TeamsEmailWebhook
Pricing

Start free. Pay when it's saving you outages.

Early‑access pricing for the first teams. Lock it in from the waitlist.

Free
$0
For an individual keeping an eye on a handful of public certs.
  • Up to 25 public certificates
  • Domain expiry monitoring
  • Email alerts
  • Weekly deadline digest
Get started
Most teams
Pro
$49 / mo
For an IT team that also needs to see inside the network.
  • Unlimited public & internal certs
  • Read‑only network agent
  • Hardware EOL & contract tracking
  • Slack, Teams & webhook alerts
  • CSV import & scheduled reports
Join the waitlist
MSP
Custom
Manage every client's expirations from one console — and resell it.
  • Multi‑tenant, per‑client isolation
  • White‑label reports
  • Roll‑up alerting & RBAC
  • Priority support
Talk to us
Questions

The things sysadmins ask first.

What can the agent actually see?

It's read‑only and outbound‑only — no inbound ports, no changes to anything. It opens a TLS connection to the hosts you list, reads the certificate that's presented, and reports the expiry, issuer, and SANs. That's the whole job.

Do you ever touch our private keys?

Never. A TLS handshake doesn't expose the private key — it can't, by design. We only ever see the public certificate, the exact same one every browser already sees.

We only have public sites. Do we need the agent?

No. Paste your domains and get a report in seconds — nothing to install. The agent is only for certs with no public DNS: internal apps, VPNs, load balancers, phone systems.

Is it only certificates?

Certificates are the wedge. It also tracks domain/DNS expiry, hardware end‑of‑life and end‑of‑sale, and support‑contract renewals — one board for everything with a deadline.

How do the alerts reach us?

Slack, Microsoft Teams, email, or a plain webhook — at 60, 30, 7, and 1 day before each date, so renewal happens on your schedule instead of during an outage.

Can we self‑host it?

Yes — that's the plan for security‑conscious teams and MSPs who won't send infrastructure data to someone else's cloud. Ask about self‑hosted when you join.

Free cert report

See what's about to expire — before it does.

Send your domains and we'll email you a full certificate report: what's live, what's expiring, and when. No account, no sales call.

Built by network engineers who got paged one too many times. We'll never share your list.