FourSight
    LoginStart free
    Start free
    Reliability & Infrastructure

    SSL Monitoring for Agencies & Multi-Client Teams

    Monitoring certificates across dozens of client domains you don't fully control: inventory, alert routing, client reporting, and commercial-use-safe tooling.

    8 min readGuide

    Client Certificates Are Your Problem, Even When They're Not Your Fault

    Agencies and multi-client teams occupy the worst seat in the certificate-expiry theater: responsible for outcomes on domains they don't fully control. The client owns the registrar account, the DNS may sit with a hosting company chosen years ago, renewal automation — if it exists — was configured by a predecessor, and when the certificate expires anyway, the browser warning appears on a site with your agency's name in the footer and your monthly invoice in the client's inbox. Whether SSL is contractually your responsibility barely matters; reputationally it always is. The discipline that separates agencies that get the 3 AM panic call from agencies that send the calm 'we caught this three weeks early' email is not deeper TLS expertise — it's inventory, monitoring, alert routing, and reporting, systematized across every client at once.

    Why Client Estates Fail Differently

    Your own infrastructure has one renewal story you can standardize. A 30-client portfolio has 30 different stories, and the variance is the risk. One client is on managed WordPress hosting that auto-renews flawlessly; another has a certbot cron on a VPS nobody has SSH'd into since the developer who set it up left; a third bought a 1-year certificate through their registrar and renewal is a calendar entry in someone's personal calendar. You often can't fix these renewal paths — the client controls the hosting relationship — which inverts the usual advice: when you can't own the renewal, you must own the detection. External monitoring is the only layer an agency can deploy uniformly across every client without needing credentials, hosting access, or the client's cooperation, because it observes exactly what the public internet observes.

    The Client Onboarding Checklist

    Make certificate discovery a standard onboarding step, not a reaction to the first incident. For every new client, enumerate the hostnames that serve TLS — the apex and www, subdomains for apps or booking systems or landing pages, and the mail domain if you manage email — then establish, in writing, who renews each certificate and how. That second question routinely surprises clients ('we assumed the hosting company handled it'), and surfacing the assumption is precisely the value. Add every hostname to your monitoring the same day; the checklist below compresses the process.

    Per-client SSL onboarding checklist:
    
    [ ] List public hostnames (apex, www, app/booking/landing subdomains)
    [ ] Check CT logs (crt.sh) for cert history + names the client forgot
    [ ] For each hostname, record:
          - current issuer + expiry date
          - renewal mechanism (host-managed / certbot / manual / unknown)
          - who fixes a failure (agency / client / hosting vendor + contact)
    [ ] Flag every "manual" or "unknown" renewal as an elevated risk
    [ ] Add an SSL monitor per hostname (expiry + chain + host-match)
    [ ] Route alerts to the account team channel for this client
    [ ] Record the client's escalation contact for 7-day emergencies

    Monitoring a Commercial SaaS?

    FourSight's free plan includes 10 commercial-safe monitors with multi-region validation — free forever, no card.

    Start Monitoring Free

    Alert Routing at Portfolio Scale

    Forty clients' worth of certificate alerts dumped into one #monitoring channel recreates the problem monitoring was meant to solve: everything is visible and nothing is seen. Routing needs two dimensions. By client: alerts should reach the account team that owns the relationship, because 'certificate on client X expires in 14 days' is an account-management task (someone may need to chase the client's hosting vendor) before it's a technical one. By urgency: a 30-day warning is a task for this week's client work; a 7-day warning on a still-unrenewed certificate should escalate like an incident, including to the client's own emergency contact if the renewal is on their side. FourSight's escalation policies support this pattern — per-monitor notification routing with time-based escalation — so the 3 AM page goes to your on-call only when a certificate is genuinely days from taking a client's revenue offline.

    Turning Monitoring into Retainer Value

    Certificate monitoring is one of the rare operational disciplines that converts directly into client-visible value. A monthly report line — 'certificates monitored: 4; earliest expiry: 41 days; renewal verified after your host's maintenance on the 12th' — costs minutes to produce from monitoring data and communicates vigilance in terms clients actually understand, because everyone has seen a browser security warning. Client-facing status pages compound this: a page per client showing their site's uptime and certificate health gives the retainer a permanent, self-serve artifact. On FourSight, status pages scale with plan tier (up to 25 on Scale, with white-label branding and custom domains), which maps naturally onto per-client pages that carry your agency's brand rather than your vendor's. The strategic effect is subtle but real: monitoring moves your agency from selling reactive fixes to demonstrating proactive custody.

    Tooling Economics and the Commercial-Use Question

    Two practical constraints shape agency tooling choices. The first is arithmetic: at roughly three TLS hostnames per client, a 30-client portfolio needs about 90 SSL monitors before counting HTTP checks — so per-monitor and per-seat pricing models deserve scrutiny at portfolio scale. FourSight's flat tiers put that estate in Growth ($40/mo, 100 monitors) or Pro ($80/mo, 250 monitors, SMS alerts), with all 8 check types included rather than priced as add-ons. The second constraint is frequently missed: terms of service. Monitoring client sites is commercial use by any reasonable definition, and some free tiers prohibit exactly that — UptimeRobot's free plan is restricted to non-commercial use per its announced 2025 policy (as published July 2026; verify current terms with the vendor). An agency running client monitoring on a non-commercial free tier has built its early-warning system on an account that can be suspended for cause. FourSight's free tier explicitly permits commercial use, including client work — though at 10 monitors it's a starting point for a small portfolio, not a 30-client solution.

    When the Client Won't Act

    Every agency eventually holds a 14-day warning for a certificate only the client can renew, while the client doesn't respond. Handle it as documented escalation: log each notification with dates, escalate past your day-to-day contact to the business owner as the window narrows, and state the impact in business language — 'your booking site will show a security warning to every visitor starting the 24th' lands where 'your TLS certificate lapses' doesn't. Offer the structural fix alongside the warning: agencies that take over renewal management (moving the client onto automation they control, or reselling managed hosting) convert a recurring fire drill into retainer scope. And when a client declines both the fix and the urgency, the paper trail your monitoring generated is what distinguishes 'the agency warned us five times' from 'the agency let our site break' — a distinction worth every minute of the documentation.

    Frequently Asked Questions

    Protect Your SaaS Revenue

    Start monitoring in under 60 seconds.