Skip to main content
Learn more about SSL Monitors in the SSL monitor overview.
Use SSL Monitors to verify the health and security posture of your TLS certificates. The examples below show how to configure monitoring for common scenarios.
Before creating SSL Monitors, ensure you have:
  • An initialized Checkly CLI project
  • Network access to the HTTPS endpoint you want to monitor
  • The hostname (and optionally port) of the target server
For additional setup information, see CLI overview.

Configuration

SSL monitors have SSL-specific settings and inherit the standard monitor options shared across all check types.

SslMonitor Options

request
object
required
SSL connection configuration that defines the target host and all TLS-specific options.Usage:
Parameters:
degradedResponseTime
number
default:"3000"
TLS handshake time in milliseconds at or above which the monitor is marked as degraded (warning state). Range: 0–30,000 ms. Must be ≤ maxResponseTime.Usage:
maxResponseTime
number
default:"10000"
TLS handshake time in milliseconds at or above which the monitor is marked as failed. Range: 0–30,000 ms.Usage:

SslConfig Options

alertDaysBeforeExpiry
number
default:"20"
Raise a degraded alert when the certificate is within this many days of expiry. Range: 1–365.
serverName
string
SNI server name to send during the TLS handshake. Useful when a single IP hosts multiple certificates. Defaults to hostname when unset.
handshakeTimeout
number
default:"10000"
Maximum milliseconds to wait for the TLS handshake to complete. Range: 1,000–30,000 ms.
skipChainValidation
boolean
default:"false"
When true, the certificate chain is not verified against system trusted roots. The certificate is still inspected for expiry and the security baseline. Use for internal or self-signed certificates.
clientCertificateMode
'auto' | 'explicit'
Enables mutual TLS by sending a client certificate during the handshake.
  • 'auto' — Checkly selects a stored client certificate automatically.
  • 'explicit' — uses the certificate referenced by sslClientCertificateId.
Omit to connect without a client certificate.
sslClientCertificateId
string
The UUID of the stored client certificate to present during the TLS handshake. Required when clientCertificateMode is 'explicit'. Client certificates are managed under Settings → Client Certificates in the Checkly dashboard.
securityBaseline
SecurityBaseline
Override the default security baseline for this monitor. Omit to inherit the built-in default baseline.
SecurityBaseline parameters:Each rule’s severity can be 'fail' | 'degrade' | 'ignore'.

SslMonitor Assertions

Define assertions using the SslAssertionBuilder. Five entry points map to the assertion sources — certificate/connection take a property (a field selector); jsonResponse/textResponse take a JSONPath/regex: certificate(property) properties: daysUntilExpiry / keySizeBits (number — EQUALS / NOT_EQUALS / GREATER_THAN / LESS_THAN), subjectCN / issuerCN (string — also CONTAINS / NOT_CONTAINS), serialNumber / fingerprintSha256 / issuerFingerprintSha256 / keyAlgorithm / signatureAlgorithm (exact — EQUALS / NOT_EQUALS only), sans (list — CONTAINS / NOT_CONTAINS), selfSigned / isCA (boolean — EQUALS). connection(property) properties: tlsVersion (version — EQUALS / NOT_EQUALS / GREATER_THAN / LESS_THAN, ordered TLS1.0 < TLS1.3), cipherSuite / resolvedIp (string — also CONTAINS / NOT_CONTAINS), ocspStatus (exact — good / revoked / unknown), hostnameVerified / chainTrusted / ocspStapled (boolean — EQUALS). Examples:
Use the TlsVersion and CipherSuite constants for type-safe comparisons:
Learn more in our docs on Assertions.

General Monitor Options

name
string
required
Friendly name for your SSL Monitor, displayed in the Checkly dashboard and used in notifications.
frequency
Frequency
How often the SSL Monitor should run. Use the Frequency enum to set the check interval.
Available frequencies: EVERY_1M, EVERY_2M, EVERY_5M, EVERY_10M, EVERY_15M, EVERY_30M, EVERY_1H, EVERY_2H, EVERY_3H, EVERY_6H, EVERY_12H, EVERY_24H. SSL monitors do not support sub-minute frequencies (EVERY_10S / EVERY_20S / EVERY_30S).
locations
string[]
default:"[]"
Array of public location codes where the monitor should run from. Multiple locations provide geographic coverage.
activated
boolean
default:"true"
Whether the SSL Monitor is enabled and will run according to its schedule.

Examples