---
title: TLS
description: Monitor TLS for protocol version, certificate expiration & validity, etc.
breadcrumbs: Docs > Integrations > TLS
---

# TLS
Supported OS Integration version5.6.1
## Overview{% #overview %}

This check monitors [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) protocol versions, certificate expiration and validity, etc.

**Notes**:

1. Only TCP is supported.
1. Only leaf / end user certificates are verified (not intermediate and root certificates).

**Minimum Agent version:** 6.12.0

## Setup{% #setup %}

### Installation{% #installation %}

The TLS check is included in the [Datadog Agent](https://app.datadoghq.com/account/settings/agent/latest) package. No additional installation is needed on your server.

### Configuration{% #configuration %}

{% tab title="Host" %}
#### Host{% #host %}

To configure this check for an Agent running on a host:

1. Edit the `tls.d/conf.yaml` file, in the `conf.d/` folder at the root of your Agent's configuration directory to start collecting your TLS data. See the [sample tls.d/conf.yaml](https://github.com/DataDog/integrations-core/blob/master/tls/datadog_checks/tls/data/conf.yaml.example) for all available configuration options.

1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent).

{% /tab %}

{% tab title="Containerized" %}
#### Containerized{% #containerized %}

For containerized environments, see the [Autodiscovery Integration Templates](https://docs.datadoghq.com/agent/kubernetes/integrations/) for guidance on applying the parameters below.

| Parameter            | Value                                  |
| -------------------- | -------------------------------------- |
| `<INTEGRATION_NAME>` | `tls`                                  |
| `<INIT_CONFIG>`      | blank or `{}`                          |
| `<INSTANCE_CONFIG>`  | `{"server": "%%host%%", "port":"443"}` |

**Note**: If you are using internal certificates that are not from a well-known, trusted CA, certain metrics may not report to Datadog. Use `tls_verify: false` in your integration template to report all metrics in this instance.
{% /tab %}

### Validation{% #validation %}

[Run the Agent's status subcommand](https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information) and look for `tls` under the Checks section.

## Data Collected{% #data-collected %}

### Metrics{% #metrics %}

|  |
|  |
| **tls.days\_left**(gauge)      | Days until X.509 certificate expiration*Shown as day*                  |
| **tls.issued\_days**(count)    | Day duration of timespan certificate is issued for*Shown as day*       |
| **tls.issued\_seconds**(count) | Second duration of timespan certificate is issued for*Shown as second* |
| **tls.seconds\_left**(gauge)   | Seconds until X.509 certificate expiration*Shown as second*            |

### Events{% #events %}

TLS does not include any events.

### Service Checks{% #service-checks %}

**tls.can\_connect**

Returns `CRITICAL` if the Agent is unable to connect to the monitored endpoint, otherwise returns `OK`.

*Statuses: ok, critical*

**tls.version**

Returns `CRITICAL` if a connection is made with a protocol version that is not allowed, otherwise returns `OK`.

*Statuses: ok, critical*

**tls.cert\_validation**

Returns `CRITICAL` if the certificate is malformed or does not match the server hostname, otherwise returns `OK`.

*Statuses: ok, critical*

**tls.cert\_expiration**

Returns `CRITICAL` if the certificate has expired or expires in less than `days_critical`/`seconds_critical`, returns `WARNING` if the certificate expires in less than `days_warning`/`seconds_warning`, otherwise returns `OK`.

*Statuses: ok, warning, critical*

## Troubleshooting{% #troubleshooting %}

Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).