Blog

Manual SSL Certificate Management for Third-Party Services (and How to Monitor It)

Custom domains on third-party platforms (CleverReach, SendGrid, Mailchimp, HubSpot, Zendesk, CDNs) often require manual SSL certificate uploads and renewals. When that renewal is missed, the failure is frequently a Silent Failure: the service doesn't always surface it in your app logs, but customers see browser warnings and campaigns break.

What you'll learn

  • Why manual SSL certificate management is common for third-party services
  • Where renewals fail silently (and why internal logs are not enough)
  • Which third-party vendors most commonly require manual SSL uploads
  • How to build a simple inventory and renewal process that doesn't get forgotten
  • How to check certificate expiry dates programmatically

The hidden challenge of third-party SSL

On your own infrastructure, TLS often auto-renews via Let's Encrypt or a hosting provider. But for many third-party platforms, the SSL certificate for your branded domain is an operational responsibility: you upload a certificate once, then must remember to renew and re-upload it later.

This creates a reliability gap: marketing or ops sets up a custom domain, then nobody owns the renewal until it breaks. In practice, it breaks at the worst time: a campaign launch, a sales event, or a high-traffic landing page.

Common services that require manual certificate uploads

The exact workflow differs per vendor, but the failure mode is consistent: a certificate is a time-bomb. Typical examples:

Email & marketing platforms

  • CleverReach custom landing page or branded tracking domains
  • SendGrid branded links and custom domain authentication
  • Mailchimp landing pages / sender domains (depending on setup)
  • ActiveCampaign tracking domains

Support portals & customer comms

  • Zendesk help center custom domains
  • Intercom branded domains
  • Help Scout docs sites

CDN & edge products

  • Cloudflare custom certificates
  • CloudFront (ACM-managed certs still require lifecycle monitoring)
  • Fastly custom TLS configuration

Landing pages & form builders

  • Unbounce custom domains
  • Typeform custom form domains
  • Jotform custom domains

Why this fails silently

Manual SSL management fails for reasons that are operational, not technical:

  • No centralized inventory of custom domains and their expiry dates
  • The original implementer left, and ownership is unclear
  • Calendar reminders get snoozed, ignored, or never created
  • Each vendor has different certificate formats and upload steps
  • Run it on a predictable cadence (cron monitoring)
  • Alert early enough to renew and re-upload before users are affected
  • Keep ownership clear (who renews, who uploads, and where it's documented)

Example: check a domain's expiry

How watchflow solves the third-party SSL management problem

watchflow provides a centralized solution for monitoring all your SSL certificates, regardless of where they're hosted:

Centralized Dashboard

Monitor all your SSL certificates across CleverReach, Mailchimp, HubSpot, Zendesk, and other platforms in one place. No more spreadsheets or scattered calendar reminders.

Customizable Alert Timing

Set alerts for 7, 14, 30, 60, or 90 days before expiration. Get multiple reminders to ensure you have time to renew certificates before they expire.

Multi-Channel Notifications

Receive alerts via email, webhook, Slack, or Microsoft Teams. Ensure the right team members are notified at the right time.

Automatic Daily Checks

watchflow automatically checks all your certificates daily, so you never have to remember to manually verify expiration dates.

Status Overview

See which certificates are valid, expiring soon, or already expired at a glance. Prioritize renewals based on urgency.

Developer-Friendly API

Integrate SSL monitoring into your existing workflows, ticketing systems, or automation tools using our simple API.

Best practices for managing SSL certificates on third-party services

Follow these best practices to ensure your SSL certificates never expire unexpectedly:

  1. Create an SSL certificate inventory: Document all custom domains across all third-party services. Include the service name, domain, certificate issuer, and expiration date.
  2. Use SSL monitoring tools: Implement automated monitoring with watchflow to track certificates in one place.
  3. Set multiple alert thresholds: Configure alerts at 90, 60, 30, and 7 days before expiration to give yourself multiple opportunities to renew.
  4. Assign clear ownership: Designate specific team members responsible for renewing certificates on each platform.
  5. Document renewal procedures: Create step-by-step guides for renewing certificates on each platform, including screenshots and login requirements.
  6. Test after renewal: Always verify that the new certificate is working correctly after upload.
  7. Use longer certificate validity when possible: When feasible, purchase longer-validity certificates to reduce renewal frequency (note: many CAs now limit to 1 year).
  8. Maintain a renewal calendar: In addition to automated monitoring, maintain a shared team calendar with renewal dates.

Frequently Asked Questions (FAQs)

1. Why do third-party services require manual SSL certificate management?

When you use a custom domain with CNAME records on platforms like CleverReach or Mailchimp, the service doesn't have direct control over your domain's DNS. Therefore, they can't automatically issue or renew SSL certificates like they can for their default domains. You must obtain and upload certificates manually.

2. How often do I need to renew SSL certificates on third-party services?

Most SSL certificates are valid for one year. You'll need to renew and re-upload certificates annually or biannually, depending on your certificate type.

3. Can watchflow automatically renew my certificates?

watchflow monitors and alerts you before certificates expire, but it doesn't automatically renew them. You'll still need to obtain new certificates from your Certificate Authority and upload them to each service.

4. What happens if I don't renew an SSL certificate on CleverReach or similar services?

If an SSL certificate expires on a service like CleverReach, emails sent from your custom domain may fail, landing pages can show security warnings, and users won't be able to access your content. This can severely impact your marketing campaigns and customer trust.

5. How many domains can I monitor with watchflow?

This depends on your plan. The typical way to choose a limit is by how many certificates you need to track and how frequently you want to check them.

6. Can I get alerts via Slack or Microsoft Teams?

Yes. watchflow supports multiple notification channels including email, webhooks, Slack, and Microsoft Teams so you can route alerts to the tools your team already uses.

7. Is there an API for integrating SSL monitoring into my existing tools?

Yes. watchflow provides an API that allows you to integrate certificate monitoring into your existing workflows, ticketing systems, or custom dashboards.

Conclusion

Manual SSL certificate management for third-party services is easy to forget because it's spread across tools and teams. The safest approach is a centralized inventory, clear ownership, and proactive renewal reminders. If you use multiple vendors (marketing platforms, CDNs, support portals), treat certificate renewals like any other operational dependency.

Back to Blog