All Deployment guides Deployment

How to Check SSL Certificate Expiry

2026-05-07
expirymonitoringopensslsslcertificate

An expired SSL certificate causes browsers to show a full-page security warning, blocking visitors from reaching your site. Here’s how to check when your certificate expires and set up monitoring.

Check from your browser

  1. Visit your site with https://
  2. Click the padlock icon in the address bar
  3. Click “Certificate” or “Connection is secure” → “Certificate is valid”
  4. Look for the “Valid to” or “Expires on” date

Check with OpenSSL (command line)

Remote check (from any machine)

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -enddate

Output: notAfter=Aug 5 12:00:00 2026 GMT

Local file check

openssl x509 -noout -enddate -in /etc/ssl/gethttps/fullchain.pem

Check all details at once

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -subject -issuer -dates

Check with a one-liner script

Check if a certificate expires within 30 days:

if openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -checkend 2592000 > /dev/null 2>&1; then
  echo "Certificate is valid for at least 30 more days"
else
  echo "WARNING: Certificate expires within 30 days!"
fi

Check multiple domains at once

If you manage several domains, check them all in a loop:

for domain in example.com www.example.com api.example.com; do
  expiry=$(echo | openssl s_client -connect "$domain":443 -servername "$domain" 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
  echo "$domain — expires: $expiry"
done

Automated monitoring with cron

Create a daily cron job that emails you when a certificate is within 30 days of expiry:

#!/bin/bash
# Save as /usr/local/bin/check-ssl-expiry.sh

DOMAINS="example.com www.example.com api.example.com"
WARN_DAYS=30
WARN_SECS=$((WARN_DAYS * 86400))

for domain in $DOMAINS; do
  if ! echo | openssl s_client -connect "$domain":443 -servername "$domain" 2>/dev/null | \
    openssl x509 -noout -checkend $WARN_SECS > /dev/null 2>&1; then
    echo "WARNING: $domain certificate expires within $WARN_DAYS days" | \
      mail -s "SSL Expiry Warning: $domain" admin@example.com
  fi
done

Add to crontab: 0 9 * * * /usr/local/bin/check-ssl-expiry.sh

Set up monitoring services

For a more robust approach, use a monitoring service:

MethodHowCostAlert options
Calendar reminderSet for 60 days after issuanceFreeManual
Cron scriptRun the check script dailyFreeEmail
UptimeRobotAdd SSL monitor, set alert thresholdFree tierEmail, Slack, webhook
Better UptimeSSL monitoring with incident managementFree tierEmail, SMS, Slack
Certbot auto-renewalcertbot renew via systemd timerFreePrevents expiry entirely

For Let’s Encrypt’s 90-day certificates, renew at day 60 (30-day buffer).

What certificate details should I verify?

Beyond the expiry date, periodically check:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep -E 'Subject:|Issuer:|Not After|DNS:'

This shows:

  • Subject/SAN — certificate covers the right domains
  • Issuer — issued by the expected CA (e.g., Let’s Encrypt)
  • Not After — expiry date
  • DNS names — all domain names in the SAN field

Frequently asked questions

What happens when a certificate expires?

Browsers show a full-page warning like “Your connection is not private” (Chrome) or “Warning: Potential Security Risk Ahead” (Firefox). Most visitors will leave immediately. Search engines may also downrank or de-index your pages until the certificate is renewed.

How often should I check?

If you have automated renewal (Certbot), check monthly as a safety net. If you renew manually (GetHTTPS), check at day 50 and set a hard reminder at day 60. With 47-day validity coming in 2029, monitoring becomes even more critical.

Can I check expiry without command-line access?

Yes. Online tools like SSL Labs Server Test and SSL Shopper’s SSL Checker show certificate details including expiry dates — just enter your domain. Browser DevTools also show it (padlock icon → Certificate details).

What if my certificate already expired?

Renew immediately. Visit GetHTTPS to get a new certificate, replace the files on your server, and reload the web server. The process takes 5 minutes. There’s no penalty for letting a certificate expire — just renew and install the new one.

Can I monitor multiple domains from one script?

Yes. Here’s a script that checks all your domains and outputs days remaining:

#!/bin/bash
for domain in example.com www.example.com api.example.com; do
  expiry=$(echo | openssl s_client -connect "$domain":443 -servername "$domain" 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
  days_left=$(( ($(date -d "$expiry" +%s) - $(date +%s)) / 86400 ))
  if [ "$days_left" -lt 30 ]; then
    echo "WARNING $domain: $days_left days left"
  else
    echo "OK $domain: $days_left days left"
  fi
done

Note: The date -d syntax is Linux-specific. On macOS, use date -j -f "%b %d %H:%M:%S %Y %Z".

Related articles

Getting Started 2026-05-07
How to Renew a Let's Encrypt Certificate
Let's Encrypt certificates expire every 90 days. Learn how to renew with GetHTTPS (manual) or Certbot (automatic), and prepare for 47-day validity.
SSL & Certificates 2026-05-07
SSL Certificate Validity: The 47-Day Change Explained
The CA/Browser Forum voted to reduce SSL certificate validity to 47 days by 2029. Learn the timeline, what it means for your website, and how to prepare.
Deployment 2026-05-08
How to Install an SSL Certificate on Nginx
Step-by-step guide to installing an SSL certificate on Nginx. Covers file upload, full server block config, TLS best practices, HTTP/2, HSTS, redirect setup, testing, and troubleshooting 6 common errors.
Get a free SSL certificate in your browser
No installation, no account. Your private key never leaves your device.
Get your certificate