X.509 certificate icon

X.509 certificate

X.509 certificate

Plugin: go.d.plugin Module: x509check


This collectors monitors x509 certificates expiration time and revocation status.

This collector is supported on all platforms.

This collector supports collecting metrics from multiple instances of this integration, including remote instances.

Default Behavior


This integration doesn’t support auto-detection.


The default configuration for this integration does not impose any limits on data collection.

Performance Impact

The default configuration for this integration is not expected to impose a significant performance impact on the system.



No action required.



The configuration file name for this integration is go.d/x509check.conf.

You can edit the configuration file using the edit-config script from the Netdata config directory.

cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config go.d/x509check.conf


The following options can be defined globally: update_every, autodetection_retry.

Name Description Default Required
update_every Data collection frequency. 1 False
autodetection_retry Recheck interval in seconds. Zero means no recheck will be scheduled. 0 False
source Certificate source. Allowed schemes: https, tcp, tcp4, tcp6, udp, udp4, udp6, file. False
days_until_expiration_warning Number of days before the alarm status is warning. 30 False
days_until_expiration_critical Number of days before the alarm status is critical. 15 False
check_revocation_status Whether to check the revocation status of the certificate. False False
timeout SSL connection timeout. 2 False
tls_skip_verify Server certificate chain and hostname validation policy. Controls whether the client performs this check. False False
tls_ca Certification authority that the client uses when verifying the server’s certificates. False
tls_cert Client TLS certificate. False
tls_key Client TLS key. False


Website certificate

Website certificate.

  - name: my_site_cert
    source: https://my_site.org:443

Local file certificate

Local file certificate.

  - name: my_file_cert
    source: file:///home/me/cert.pem

SMTP certificate

SMTP certificate.

  - name: my_smtp_cert
    source: smtp://smtp.my_mail.org:587


Note: When you define more than one job, their names must be unique.

Check the expiration status of the multiple websites' certificates.

  - name: my_site_cert1
    source: https://my_site1.org:443

  - name: my_site_cert2
    source: https://my_site1.org:443

  - name: my_site_cert3
    source: https://my_site3.org:443


Metrics grouped by scope.

The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.

Per source

These metrics refer to the configured source.


Label Description
source Configured source.


Metric Dimensions Unit
x509check.time_until_expiration expiry seconds
x509check.revocation_status revoked boolean


The following alerts are available:

Alert name On metric Description
x509check_days_until_expiration x509check.time_until_expiration time until x509 certificate expires
x509check_revocation_status x509check.revocation_status x509 certificate revocation status (0: revoked, 1: valid)


Debug Mode

To troubleshoot issues with the x509check collector, run the go.d.plugin with the debug option enabled. The output should give you clues as to why the collector isn’t working.

  • Navigate to the plugins.d directory, usually at /usr/libexec/netdata/plugins.d/. If that’s not the case on your system, open netdata.conf and look for the plugins setting under [directories].

    cd /usr/libexec/netdata/plugins.d/
  • Switch to the netdata user.

    sudo -u netdata -s
  • Run the go.d.plugin to debug the collector:

    ./go.d.plugin -d -m x509check

Get Netdata

Sign up for free

Want to see a demonstration of Netdata for multiple use cases?

Go to Live Demo