Change detection

Renewed is not the same as served.

A certificate can be issued correctly and still not be the certificate customers receive. Domain Trust Watch compares what the public endpoint serves across checks.

Workspace preview

Certificate health

Live checks

api.domaintrustwatch.com

Valid
84 days

checkout.example.com

Warning
13 days

idp.example.com

Issuer changed
2h ago
No private keysEmail verificationSigned webhooks
Hostname evidence

A complete certificate record for one monitored endpoint.

Monitor detail keeps the served certificate, SAN coverage, fingerprint history, check timeline, and alert delivery attempts attached to the hostname.

01

Compare the certificate customers can receive

Domain Trust Watch compares the latest successful check with the previous certificate for that monitor. The diff focuses on fields teams review after renewals, CDN changes, and load-balancer updates.

  • Issuer, serial number, SAN list, and fingerprint.
  • Validity window, chain depth, and validation state.
  • Probe failures that explain why the certificate could not be read.
Example served-certificate diff
FieldBefore renewalAfter checkWhy review it
IssuerR3E6Confirms whether the expected CA or platform issued the served certificate.
SANswww.example.com, example.comexample.com onlyCatches missing hostnames before clients see mismatch errors.
Fingerprint4F:91:...A8:22:...Proves the public endpoint actually changed certificates.
ValidityExpires Jun 18Expires Sep 16Shows whether the public result moved to the new renewal window.
Chain depth32Flags intermediate-chain changes that may affect older clients.
ValidationValidHostname mismatchSeparates successful renewal from an unsafe public binding.
02

Catch mistakes after platform changes

A CDN, edge, or load balancer can keep serving an old certificate after renewal, drop a hostname from SANs, or change the trust chain during a migration. The event keeps the before and after details near the hostname.

  • Confirm the renewed certificate includes the expected names.
  • Review issuer and chain changes after CA or CDN moves.
  • Keep the diff out of chat logs and close to the monitor history.
03

Use the right tool for CT monitoring

Domain Trust Watch watches the certificate served during TLS checks. Certificate Transparency monitoring answers a separate security question: which certificates were issued for a name.

  • Use this page for public serving-state review.
  • Use CT-oriented tools when unexpected issuance discovery is the main requirement.
  • Use Domain Trust Watch when renewal verification and public hostname history are the problem.
FAQ2 answers
  1. What certificate changes does Domain Trust Watch detect?

    Domain Trust Watch detects changes to issuer, SANs, serial number, fingerprint, validity dates, chain depth, and validation state for the certificate served by a public hostname.

  2. Is certificate change detection the same as Certificate Transparency monitoring?

    No. Domain Trust Watch compares certificates served during public TLS checks. Certificate Transparency monitoring is a separate security requirement.

Verify the public result

Check the hostname after a renewal, CDN move, or certificate change.

The free checker shows what the hostname serves right now. Monitoring keeps the before and after history.