Monitor the public paths that create incidents
Cover app, API, CDN, identity, docs, status, and customer-facing hostnames where a certificate problem can become a confusing customer failure.
- Tag endpoints by service, environment, and responsible team.
- Separate production from lower-risk environments so urgent channels stay useful.
- Use certificate snapshots during CDN, load balancer, and hostname migrations.
| Failure class | First owner | Typical action |
|---|---|---|
| DNS | DNS, registrar, or platform owner | Check records, delegation, provider status, and recent zone changes. |
| TCP | Network, hosting, load balancer, or CDN owner | Check port, firewall, listener, proxying, and public reachability. |
| TLS handshake | Ingress, load balancer, reverse proxy, or server owner | Check SNI, protocol, cipher, listener, and TLS termination config. |
| Hostname mismatch | Certificate or platform owner | Check SAN list, SNI hostname, and certificate binding. |
| Expiry or active-window | Renewal and deployment owner | Renew, deploy, reload, and verify the served certificate changed. |
| Trust chain | Server, CDN, or certificate owner | Install intermediates, fix chain order, or replace untrusted origin certificates. |