How to Configure SSL Alert Thresholds
Alert thresholds control when Aideworks notifies you about approaching SSL certificate expiry. This guide covers the default configuration, how to adjust thresholds to match your renewal workflow, and how to set per-domain overrides.
Why thresholds matter
- SSL certificates expire regardless of whether anyone is watching.
- With CA/B Forum mandated lifetimes heading toward 47 days by 2029, renewal cycles are shortening.
- Agencies managing dozens of clients need enough lead time to renew without rushing — typically 30+ days.
- Over-alerting causes alert fatigue; under-alerting misses critical windows. Configurable thresholds let you balance both.
Default thresholds
Aideworks ships with four alert levels for SSL expiry, each triggering a separate notification:
60
Advanced notice
30
Warning
14
Urgent
7
Critical
These defaults work well for most agencies. For clients on auto-renewal with a managed DNS and hosting stack, the 60-day notice gives you time to confirm renewal is configured. For clients on manual renewal, 30 and 14 days are your actionable windows to issue a new certificate.
Step 1 — Open alert threshold settings
Navigate to Settings → Alerts in the top navigation or sidebar. The SSL expiry thresholds section shows the four current threshold values and their associated severity levels.
Step 2 — Adjust the Warning threshold
Click the threshold value you want to change. Each threshold accepts a number between 1 and 365 days. The warning threshold is typically the first actionable alert — the point at which your team should confirm a renewal is in progress or schedule it.
For agencies using 90-day Let's Encrypt certificates with manual renewal, consider raising the warning threshold to 45 days to give a comfortable two-week notice before the midpoint of the certificate's validity window.
Step 3 — Adjust the Critical threshold
The critical threshold triggers your highest-priority notification channel (typically SMS, PagerDuty, or urgent Slack channel). Set this to a value that reflects how much time your team realistically needs to issue and deploy a replacement certificate in an emergency — typically 7–14 days.
Rule of thumb: critical threshold = your longest realistic emergency renewal time × 2. If deploying a certificate under pressure takes up to 2 days (DNS propagation + validation + deployment), set your critical threshold to at least 4–7 days.
Step 4 — Recommended thresholds by workflow
| Workflow | Notice | Warning | Critical |
|---|---|---|---|
| Auto-renewal (ACME/Let's Encrypt) | 60d | 20d | 7d |
| Managed renewal (agency handles) | 60d | 30d | 14d |
| Client-managed (you just monitor) | 90d | 45d | 21d |
| 47-day certs (2029 standard) | 30d | 14d | 5d |
Step 5 — Per-domain threshold overrides
Global thresholds apply to all domains in your account. For individual domains that need different settings — for example, a high-stakes e-commerce site that needs earlier warnings — use per-domain overrides:
- Open the domain detail page.
- Navigate to SSL → Alert settings.
- Toggle Use custom thresholds.
- Enter the per-domain values. These override global settings for this domain only.
Per-domain overrides are shown with a badge in the domain list so you can quickly see which domains are using custom alert schedules.
Step 6 — Verify alert delivery
After adjusting thresholds, confirm your notification channels are properly configured by checking Settings → Notifications. Then use theSend test alert option on any domain to confirm the end-to-end pipeline works before you rely on it.