How to Check SSL Certificate Expiration

SSL certificates have a finite validity period. Since 2020, the maximum validity period for publicly trusted certificates has been 398 days, and many certificate authorities issue certificates for 90 days (particularly free certificates from Let's Encrypt). When a certificate expires, browsers stop trusting it and display a warning page that most visitors interpret as a sign the website is dangerous or unprofessional.

For businesses, the consequences are immediate. Visitors who see a security warning typically leave without engaging. If your site handles any form data — contact forms, login pages, booking systems — an expired certificate means that data transmission is no longer encrypted, which creates both a trust problem and a potential compliance concern. Search engines also factor HTTPS status into their crawling behavior, so an expired certificate can affect how your pages are indexed.

The most common reason certificates expire unexpectedly is that auto-renewal failed silently. This can happen due to DNS changes, hosting provider issues, domain validation failures, or billing problems with paid certificates. Checking your certificate expiration date proactively — and setting up monitoring to track it continuously — helps prevent these surprises.

The simplest way to check your SSL certificate expiration is directly in your web browser. This method requires no special tools or technical knowledge and works on any computer. It is ideal for a quick manual check when you want to verify the current status of your certificate.

In Google Chrome or Microsoft Edge, navigate to your website and click the padlock icon in the address bar. Click 'Connection is secure' (or 'Connection is valid'), then click 'Certificate is valid'. A dialog opens showing certificate details including the issuer, the validity period, and the expiration date. Look for the 'Valid from' and 'Valid to' fields — the 'Valid to' date is your expiration date.

In Firefox, click the padlock icon, then click 'Connection secure' and then 'More information'. A Page Info window opens with a Security tab that shows the certificate details including the expiration date. In Safari, click the padlock icon, then click 'Show Certificate'. The certificate viewer displays the expiration date prominently.

This method shows you the certificate currently served by your website. If you have multiple servers behind a load balancer, you may want to check from different networks to confirm all servers are serving the same valid certificate. The browser method is manual, so it is best suited for spot checks rather than continuous monitoring.

• Click the padlock icon in your browser's address bar
• Navigate to the certificate details through the connection info panel
• Find the 'Valid to' or expiration date field
• Note the issuer and compare the validity period to your expected certificate term

If you are comfortable with a terminal, the command line provides a fast and scriptable way to check SSL certificate expiration. The most common tool is OpenSSL, which is pre-installed on macOS and most Linux distributions. On Windows, OpenSSL can be installed via package managers like Chocolatey or downloaded from the OpenSSL project.

The command to check a certificate's expiration date is: echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates. This connects to your server on port 443, retrieves the certificate, and extracts the date fields. The output shows notBefore and notAfter dates. The notAfter date is the expiration date.

To see the full certificate details including the issuer, subject, and serial number, replace -dates with -text and pipe through a pager. For a quick check of how many days remain until expiration, you can use a slightly longer script that calculates the difference between today and the notAfter date. This approach is useful for adding to cron jobs or monitoring scripts.

The command line method is particularly valuable for system administrators managing multiple domains. You can write a simple loop that checks certificates for a list of domains and reports any that are expiring within a specified threshold. This scales much better than checking each domain manually in a browser.

Several free online tools let you check SSL certificate details by entering your domain name. These tools connect to your server, retrieve the certificate, and display comprehensive information including the expiration date, issuer, certificate chain, supported protocols, and cipher suites. Popular options include SSL Labs' SSL Server Test, SSL Checker by SSLShopper, and various tools offered by certificate authorities.

Online checkers are useful because they provide more information than just the expiration date. They can reveal issues with your certificate chain — for example, if an intermediate certificate is missing, which causes warnings on some browsers but not others. They also show whether your server supports modern TLS versions and strong cipher suites, which affect both security and compatibility.

The limitation of online tools is that they are manual — you need to visit the website and enter your domain each time. They are excellent for a one-time comprehensive check or for troubleshooting a specific issue, but they do not provide ongoing monitoring. For continuous tracking of certificate expiration, an automated monitoring solution is more reliable.

When using online checkers, be aware that they test from their own server locations. If you use a CDN or geo-based load balancing, the certificate served to the checker might differ from what some visitors receive. For most websites with a single origin server, this is not an issue, but it is worth understanding if you have a complex infrastructure.

Manual checks are useful for understanding your certificate status at a point in time, but they do not protect you from forgetting to check. Automated SSL monitoring runs continuously in the background and sends alerts when a certificate approaches expiration. This is the most reliable way to ensure you never miss an expiring certificate.

Automated monitoring works by connecting to your server periodically — typically daily — and retrieving the certificate details. The monitoring service compares the expiration date against a threshold you configure, such as 30 days, 14 days, or 7 days before expiration. When the certificate enters the warning window, the service sends an alert via email, SMS, or webhook integration.

MonitorMojo includes SSL certificate monitoring as a core feature. It checks your certificate daily, displays the expiration date and issuer in the dashboard, and sends alerts at configurable intervals before expiration. This helps you take action — whether that is verifying that auto-renewal is working, contacting your hosting provider, or manually renewing a paid certificate — well before the certificate expires.

Automated monitoring is especially important if you manage multiple websites. Keeping track of expiration dates across dozens of domains manually is error-prone. With automated monitoring, each domain is tracked independently, and you receive specific alerts for each one. This scales to any number of domains without additional effort on your part.

• Choose a monitoring service that checks SSL certificates daily at minimum
• Set alert thresholds at 30, 14, and 7 days before expiration
• Ensure alerts go to the person responsible for certificate management
• Test the alert system by verifying you receive notifications for a certificate you know is expiring
• Keep a record of which domains use auto-renewal and which require manual renewal

If you discover that your SSL certificate is approaching expiration, the first step is to determine how it was originally issued and whether auto-renewal is configured. For Let's Encrypt certificates, auto-renewal is typically handled by a cron job running certbot or a similar ACME client on your server. Check that this cron job is active and that recent renewal attempts have succeeded by reviewing the log files.

For paid certificates, check whether your certificate authority or hosting provider handles auto-renewal. Some providers automatically issue and install new certificates before expiration. Others require you to complete domain validation for each renewal. If your certificate is managed through a hosting control panel like cPanel or Plesk, check the SSL/TLS section for renewal options.

If auto-renewal is not configured or has failed, you need to renew manually. This involves generating a new certificate signing request (CSR), completing domain validation, downloading the new certificate, and installing it on your server. The exact process depends on your server software (Apache, Nginx, IIS) and hosting environment. Most hosting providers offer support for this process if you are not comfortable performing it yourself.

After renewal, verify that the new certificate is being served correctly by checking your website in a browser and confirming the padlock icon appears without warnings. Also check that the full certificate chain is present — some installations miss intermediate certificates, which causes warnings on certain browsers or mobile devices.

The biggest mistake is assuming auto-renewal will always work without verification. Auto-renewal can fail silently for many reasons: DNS records change, the ACME client encounters an error, the server's firewall blocks validation requests, or the domain expires. Always have a monitoring alert as a safety net, even when auto-renewal is configured.

Another mistake is checking only one server when you have multiple. If your website uses a load balancer or multiple origin servers, each one needs a valid certificate. A renewal that succeeds on one server but fails on another creates intermittent warnings that are difficult to diagnose. Make sure your monitoring checks all endpoints.

Some website owners also ignore certificate chain issues. A certificate might be valid and not expired, but if the intermediate certificates are missing from the server configuration, some visitors will see warnings. When checking expiration, also verify that the full chain is being served. Online SSL checkers reveal chain issues that browser checks might miss because browsers sometimes fetch missing intermediates automatically.

MonitorMojo helps you track SSL certificate expiration across all your domains from a single dashboard. Instead of manually checking each site or maintaining spreadsheets of expiration dates, MonitorMojo checks your certificates daily and alerts you when expiration is approaching. This helps you stay ahead of renewals and avoid the security warnings that drive visitors away.

The monitoring covers certificate validity, expiration dates, and issuer information. Alerts can be configured at multiple thresholds so you receive an early warning at 30 days, a more urgent alert at 14 days, and a critical alert at 7 days. This tiered approach helps you prioritize action based on how much time remains.

Results depend on your certificate authority, hosting configuration, and renewal process. MonitorMojo helps detect expiration risks early, but the actual renewal depends on your infrastructure and provider. For businesses managing multiple websites, this centralized visibility helps organize certificate management into a consistent process rather than a series of emergency renewals.