Monitoring SSL Certificate Expiration with Nagios XI

Picture of Joe Johnson
Joe Johnson
IT Specialist
SSL certificate lock

Last updated: July 9th, 2026

Introduction

SSL certificates play a crucial role in securing websites and applications by encrypting communication. Expired SSL certificates can lead to security warnings, service disruptions, and loss of trust from users. Nagios XI provides a reliable way to monitor SSL certificates and ensure they are renewed before expiration. This guide will walk you through setting up SSL certificate expiration monitoring in Nagios XI.

Why Monitor SSL Certificate Expiration?

  • Avoid Service Interruptions – Prevent downtime due to expired certificates.
  • Enhance Security – Ensure continued encryption and protection.
  • Maintain Compliance – Meet security standards and best practices.
  • Automate Monitoring – Receive alerts before certificates expire.

Option 1: Using the Website Wizard

The built-in Website Wizard in Nagios XI (which uses the check_http plugin), provides the easiest approach to setting up SSL Certificate monitoring. Simply use an https URL in Step 1, and you will see an SSL Certificate check option in Step 2. The Days to Expiration threshold sets the check to alert you if the certificate will expire within the set number of days.

The output of the check will provide you with details on the number of days left before expiration:

Screenshot of an SSL Certificate expiration check for nagios.org in Nagios XI
The Website Wizard’s SSL Certificate check in action.

You can learn more about the Website Wizard in this guide:

How To Monitor Websites with Nagios XI

Option 2: Using a Custom Plugin

Nagios XI also enables you to use custom plugins, and the check_ssl_cert plugin is commonly used.

Step 1: Install the Required Plugin

Installing check_ssl_cert

cd /usr/local/nagios/libexec
wget https://raw.githubusercontent.com/matteocorti/check_ssl_cert/master/check_ssl_cert
chmod +x check_ssl_cert

Step 2: Create a New Command in Nagios XI

  • Log in to Nagios XI and navigate to Configure > Core Config Manager.
  • Go to Commands and click Add New Command.
  • Configure the command as follows:
    • Command Name:
check_ssl_certificate
  • Command Line:
$USER1$/check_ssl_cert -H $ARG1$ -w $ARG2$ -c $ARG3$
  • Description: Monitors SSL certificate expiration.
  • Click Save and Apply Configuration.

Step 3: Add a New Service to Monitor SSL Expiration

  1. Go to Configure > Core Config Manager > Services.
  2. Click Add New Service.
  3. Configure the service:
    • Host: Select the target website or server.
    • Check Command: check_ssl_certificate.
    • Arguments:
      • $ARG1$ – The domain name (e.g., example.com).
      • $ARG2$ – Warning threshold in days (e.g., 30 for 30 days before expiration).
      • $ARG3$ – Critical threshold in days (e.g., 15 for critical alerts within 15 days).
    • Check Interval: Set the frequency of checks.
    • Click Save and Apply Configuration.

Step 4: Test the SSL Monitoring Setup

After configuration, force a check in Nagios XI:

/usr/local/nagios/libexec/check_ssl_cert -H example.com -w 30 -c 15

If the certificate is valid, the output should indicate the number of days remaining before expiration.

Step 5: Configure Notifications and Alerts

  1. Go to Configure > Notification Preferences.
  2. Enable email or SMS notifications.
  3. Set up escalation rules to alert different teams as the expiration date nears.

Conclusion

Monitoring SSL certificates with Nagios XI ensures your website and applications remain secure and accessible. By setting up automated checks and alerts, you can avoid expired SSL issues and maintain continuous encryption. Regularly review your SSL monitoring setup to ensure effectiveness and compliance with security best practices.

Share: