New announcements for Serverless, Network, RUM, and more from Dash! New announcements from Dash!


Agent Check Agent Check

Supported OS: Linux Mac OS Windows


This check monitors TLS protocol versions, certificate expiration & validity, etc.

Note: Currently, only TCP is supported.



The TLS check is included in the Datadog Agent package. No additional installation is needed on your server.


  1. Edit the tls.d/conf.yaml file, in the conf.d/ folder at the root of your Agent’s configuration directory to start collecting your TLS data. See the sample tls.d/conf.yaml for all available configuration options.

  2. Restart the Agent.


Run the Agent’s status subcommand and look for tls under the Checks section.

Data Collected


Days until X.509 certificate expiration
shown as day
Seconds until X.509 certificate expiration
shown as second
  • tls.can_connect - Returns CRITICAL if the Agent is unable to connect to the monitored endpoint, otherwise returns OK.
  • tls.version - Returns CRITICAL if a connection is made with a protocol version that is not allowed, otherwise returns OK.
  • tls.cert_validation - Returns CRITICAL if the certificate is malformed or does not match the server hostname, otherwise returns OK.
  • tls.cert_expiration - Returns CRITICAL if the certificate has expired or expires in less than days_critical/seconds_critical, returns WARNING if the certificate expires in less than days_warning/seconds_warning, otherwise returns OK.


TLS does not include any events.


Need help? Contact Datadog support.

Mistake in the docs? Feel free to contribute!