Prerequisites
Prerequisites
Before creating SSL Monitors, ensure you have:
- An initialized Checkly CLI project
- Network access to the HTTPS endpoint you want to monitor
- The hostname (and optionally port) of the target server
Configuration
SSL monitors have SSL-specific settings and inherit the standard monitor options shared across all check types.- SSL Monitor Settings
- General Monitor Settings
SslMonitor Options
SSL connection configuration that defines the target host and all TLS-specific options.Usage:Parameters:
TLS handshake time in milliseconds at or above which the monitor is marked as degraded (warning state). Range: 0–30,000 ms. Must be ≤
maxResponseTime.Usage:TLS handshake time in milliseconds at or above which the monitor is marked as failed. Range: 0–30,000 ms.Usage:
SslConfig Options
Raise a degraded alert when the certificate is within this many days of expiry. Range: 1–365.
SNI server name to send during the TLS handshake. Useful when a single IP hosts multiple certificates. Defaults to
hostname when unset.Maximum milliseconds to wait for the TLS handshake to complete. Range: 1,000–30,000 ms.
When
true, the certificate chain is not verified against system trusted roots. The certificate is still inspected for expiry and the security baseline. Use for internal or self-signed certificates.Enables mutual TLS by sending a client certificate during the handshake.
'auto'— Checkly selects a stored client certificate automatically.'explicit'— uses the certificate referenced bysslClientCertificateId.
The UUID of the stored client certificate to present during the TLS handshake. Required when
clientCertificateMode is 'explicit'. Client certificates are managed under Settings → Client Certificates in the Checkly dashboard.Override the default security baseline for this monitor. Omit to inherit the built-in default baseline.
SecurityBaseline parameters:Each rule’s
severity can be 'fail' | 'degrade' | 'ignore'.SslMonitor Assertions
Define assertions using the SslAssertionBuilder. Five entry points map to the assertion sources — certificate/connection take a property (a field selector); jsonResponse/textResponse take a JSONPath/regex:
certificate(property) properties: daysUntilExpiry / keySizeBits (number — EQUALS / NOT_EQUALS / GREATER_THAN / LESS_THAN), subjectCN / issuerCN (string — also CONTAINS / NOT_CONTAINS), serialNumber / fingerprintSha256 / issuerFingerprintSha256 / keyAlgorithm / signatureAlgorithm (exact — EQUALS / NOT_EQUALS only), sans (list — CONTAINS / NOT_CONTAINS), selfSigned / isCA (boolean — EQUALS).
connection(property) properties: tlsVersion (version — EQUALS / NOT_EQUALS / GREATER_THAN / LESS_THAN, ordered TLS1.0 < TLS1.3), cipherSuite / resolvedIp (string — also CONTAINS / NOT_CONTAINS), ocspStatus (exact — good / revoked / unknown), hostnameVerified / chainTrusted / ocspStapled (boolean — EQUALS).
Examples:
TlsVersion and CipherSuite constants for type-safe comparisons:
General Monitor Options
Friendly name for your SSL Monitor, displayed in the Checkly dashboard and used in notifications.
How often the SSL Monitor should run. Use the Available frequencies:
Frequency enum to set the check interval.EVERY_1M, EVERY_2M, EVERY_5M, EVERY_10M, EVERY_15M, EVERY_30M, EVERY_1H, EVERY_2H, EVERY_3H, EVERY_6H, EVERY_12H, EVERY_24H. SSL monitors do not support sub-minute frequencies (EVERY_10S / EVERY_20S / EVERY_30S).Array of public location codes where the monitor should run from. Multiple locations provide geographic coverage.
Whether the SSL Monitor is enabled and will run according to its schedule.
Examples
- Basic Expiry Alert
- Strict TLS Policy
- Internal / Self-Signed Cert
- mTLS Endpoint
- SNI Override