Staged warnings before the panic
Checks run against the certificate your public hostname presents. Domain Trust Watch warns at 30, 14, 7, 3, and 1 days before expiry, then marks the hostname expired when the validity window has closed.
- Use 30-day and 14-day warnings for normal renewal planning.
- Use 7-day, 3-day, and 1-day warnings for watched operational channels.
- Use expired events to separate certificate problems from DNS, TCP, and TLS listener failures.
| Window | What the team should do | Typical channel |
|---|---|---|
| 30 days | Confirm owner, renewal path, and DNS or ACME assumptions. | Shared inbox or renewal queue. |
| 14 days | Check whether automation has started and whether the public certificate changed. | Shared inbox plus watched operations channel. |
| 7 days | Treat failed automation as active risk and assign a deploy owner. | Slack or signed webhook to ticketing. |
| 3 days | Escalate deployment, reload, CDN, or vendor work. | Watched operational channel. |
| 1 day or expired | Handle as critical customer-facing risk. | Critical alert route with delivery evidence. |