Back to Blog
December 21, 2025
GuardSSL Team

How to Check If Your SSL Certificate Is Expiring (5 Easy Methods)

How to Check If Your SSL Certificate Is Expiring (5 Easy Methods)

An expired SSL certificate is one of the most commonโ€”and most preventableโ€”website issues. When your certificate expires, visitors see scary warning pages, and many will leave immediately. Need help understanding what those warnings mean? See our guide on common SSL certificate errors. Let's look at how to check your certificate's expiration date and make sure you never get caught off guard.

Why Certificate Expiration Matters

When your SSL certificate expires:

  • ๐Ÿšซ Browsers show full-page security warnings
  • ๐Ÿ“‰ Traffic drops as visitors bounce
  • ๐Ÿ” Search rankings can be affected
  • ๐Ÿ’ณ Payment processing may fail
  • ๐Ÿ˜ฑ You look unprofessional

The good news? This is 100% preventable with proper monitoring.

Method 1: Check in Your Browser (Quickest)

The fastest way to check any website's certificate:

Chrome

  1. Visit the website
  2. Click the padlock icon in the address bar
  3. Click "Connection is secure"
  4. Click "Certificate is valid"
  5. Look for "Valid from" and "Valid to" dates

Firefox

  1. Visit the website
  2. Click the padlock icon
  3. Click the arrow next to "Connection secure"
  4. Click "More Information"
  5. Click "View Certificate"
  6. Check the "Validity" section

Safari

  1. Visit the website
  2. Click the padlock icon in the address bar
  3. Click "Show Certificate"
  4. Look for expiration date in the details

Edge

  1. Visit the website
  2. Click the padlock icon
  3. Click "Connection is secure"
  4. Click the certificate icon
  5. View validity dates

Method 2: Use GuardSSL (Recommended)

For detailed certificate information and ongoing monitoring:

  1. Go to GuardSSL
  2. Enter your domain name
  3. Click "Check SSL"

You'll see:

  • Exact expiration date and time
  • Days remaining until expiration
  • Certificate issuer
  • Full certificate chain
  • Any configuration issues

Pro tip: Create a free account to set up expiration alerts and monitor multiple domains.

Method 3: Command Line (For Developers)

If you're comfortable with the terminal, OpenSSL gives you detailed info:

Basic Expiration Check

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Output:

notBefore=Jan 15 00:00:00 2024 GMT
notAfter=Jan 15 23:59:59 2025 GMT

Days Until Expiration

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate -checkend 0

Full Certificate Details

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -text

Quick Script for Multiple Domains

#!/bin/bash
domains=("example.com" "example.org" "example.net")

for domain in "${domains[@]}"; do
    expiry=$(echo | openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
    echo "$domain expires: $expiry"
done

Method 4: Online SSL Checkers

Besides GuardSSL, other tools can check certificate expiration:

  • SSL Labs (ssllabs.com) - Comprehensive but slower
  • SSL Shopper - Quick checker
  • DigiCert Tool - From a major CA

These are good for one-off checks but don't offer monitoring.

Method 5: Check Your Hosting Panel

Most hosting providers show certificate status:

cPanel

  1. Log into cPanel
  2. Go to Security โ†’ SSL/TLS Status
  3. View expiration dates for all certificates

Plesk

  1. Log into Plesk
  2. Go to Websites & Domains
  3. Click SSL/TLS Certificates
  4. View certificate details

Cloudflare

  1. Log into Cloudflare dashboard
  2. Select your domain
  3. Go to SSL/TLS โ†’ Edge Certificates
  4. View certificate status

Setting Up Expiration Monitoring

Checking manually is fine, but automated monitoring is better. Here's how to set it up:

Option 1: GuardSSL Monitoring

  1. Create a GuardSSL account
  2. Add your domains
  3. Configure alert thresholds (e.g., 30 days, 14 days, 7 days)
  4. Choose notification method (email, Slack, etc.)

Option 2: Let's Encrypt Auto-Renewal

If you're using Let's Encrypt with Certbot:

# Check renewal status
sudo certbot certificates

# Test renewal process
sudo certbot renew --dry-run

# Set up auto-renewal (usually automatic)
sudo systemctl status certbot.timer

Option 3: Cron Job Script

Create a simple monitoring script:

#!/bin/bash
DOMAIN="example.com"
DAYS_WARNING=30
EMAIL="[email protected]"

expiry_date=$(echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
expiry_epoch=$(date -d "$expiry_date" +%s)
current_epoch=$(date +%s)
days_left=$(( ($expiry_epoch - $current_epoch) / 86400 ))

if [ $days_left -lt $DAYS_WARNING ]; then
    echo "SSL certificate for $DOMAIN expires in $days_left days!" | mail -s "SSL Expiration Warning" $EMAIL
fi

Add to crontab to run daily:

0 9 * * * /path/to/ssl-check.sh

Option 4: Uptime Monitoring Services

Many uptime monitors include SSL checking:

  • UptimeRobot
  • Pingdom
  • StatusCake
  • Better Uptime

What to Do When Your Certificate Is Expiring

30+ Days Before Expiration

  • โœ… Verify auto-renewal is configured
  • โœ… Check that renewal emails go to a monitored address
  • โœ… Test the renewal process

14 Days Before Expiration

  • โš ๏ธ If not auto-renewing, start the renewal process
  • โš ๏ธ Contact your CA if there are issues
  • โš ๏ธ Prepare new certificate if switching providers

7 Days Before Expiration

  • ๐Ÿšจ Renew immediately if not done
  • ๐Ÿšจ Have a backup plan ready
  • ๐Ÿšจ Alert your team

Day of Expiration

  • ๐Ÿ”ฅ Emergency renewal needed
  • ๐Ÿ”ฅ Consider temporary solutions (Cloudflare, etc.)
  • ๐Ÿ”ฅ Communicate with users if there's downtime

Common Expiration Scenarios

Let's Encrypt (90-day certificates)

Let's Encrypt certificates expire every 90 days, but Certbot handles renewal automatically. If renewal fails:

  1. Check Certbot logs: sudo journalctl -u certbot
  2. Verify domain is accessible
  3. Check for port 80/443 blocks
  4. Run manual renewal: sudo certbot renew

Commercial Certificates (1-2 year)

Longer validity but easier to forget:

  1. Set calendar reminders
  2. Use monitoring services
  3. Keep renewal contact info updated
  4. Start renewal process 30 days early

Wildcard Certificates

Same process, but remember:

  • DNS validation may be required
  • All subdomains are affected if it expires
  • Renewal might need DNS access

Preventing Expiration Issues

Best Practices

  1. Use auto-renewal whenever possible
  2. Monitor multiple ways - Don't rely on just one method
  3. Keep contact info updated - CAs send renewal reminders
  4. Document your certificates - Know what you have and when they expire
  5. Test renewal process - Don't wait until the last minute
  6. Have a backup plan - Know what to do if renewal fails

Create a Certificate Inventory

Keep track of all your certificates:

DomainTypeIssuerExpiresAuto-RenewNotes
example.comDVLet's Encrypt2024-03-15YesMain site
api.example.comDVLet's Encrypt2024-03-15YesAPI server
admin.example.comOVDigiCert2025-01-20NoManual renewal

Key Takeaways

  • Check certificate expiration regularly using browser, command line, or monitoring tools
  • Set up automated monitoring to get alerts before expiration
  • Use auto-renewal (Let's Encrypt + Certbot) when possible
  • Start renewal process at least 30 days before expiration
  • Keep a certificate inventory for all your domains

Want hassle-free SSL monitoring? Add your domains to GuardSSL and get automatic expiration alerts.

Check Your SSL Certificate Now

Want to see these certificate details for your own website? Use our free SSL checker to instantly analyze your certificate's security, validity, and configuration.

Try Free SSL CheckerView Monitoring Plans

No registration required โ€ข Instant results โ€ข 100% free

Next Post
How to Set Up Discord Webhooks for SSL Certificate Alerts