How to Check SSL Certificate Expiration Date

An SSL certificate that expires without warning takes your site down with a browser-blocking security error. No gradual degradation, no partial outage -- just a full-screen warning telling every visitor your site can't be trusted. Here's how to check when your certificates expire so that never happens.

Method 1: Check Expiry Date in Your Browser

The simplest way to check an SSL certificate's expiration date is through your browser.

In Chrome, the certificate viewer shows the expiry date right on the General tab. In Firefox, it's displayed prominently in the certificate overlay. Either way, you're looking for the "Not After" or "Expires on" date.

Limitation: This only checks one certificate at a time, and you have to remember to do it. If you're managing more than a handful of certificates, this isn't sustainable.

Method 2: Check Expiry with OpenSSL

OpenSSL gives you the expiry date in a single command:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates

Output:

notBefore=Jan 15 00:00:00 2025 GMT
notAfter=Apr 15 23:59:59 2025 GMT

The notAfter line is your expiration date. Note that it's in UTC/GMT -- if you're in another timezone, adjust accordingly.

Want just the expiry date in a more readable format?

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -enddate

To check how many days until expiry:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -enddate -checkend 0

Replace 0 with the number of seconds. For example, -checkend 2592000 checks if the certificate expires within 30 days. The exit code tells you: 0 means it's still valid, 1 means it expires within that window.

for domain in example.com api.example.com staging.example.com; do
  echo -n "$domain: "
  openssl s_client -connect $domain:443 -servername $domain </dev/null 2>/dev/null | openssl x509 -noout -enddate
done

Method 3: Check Expiry with Online Tools

Several free online tools show certificate expiry dates instantly:

• SSLShopper SSL Checker -- Enter a hostname, see the expiry date in seconds. Also shows chain status.
• Qualys SSL Labs -- More comprehensive (grades your SSL configuration), but takes 1-2 minutes to run.
• SSL-Tools.net -- Quick check with visual timeline of certificate validity.

These are convenient for spot checks. You paste in a URL, get the date. But like the browser method, they're manual -- you check when you remember to, not when it matters.

Method 4: Check Expiry with cURL

If you have cURL installed (it's on virtually every system), you can check certificate dates without OpenSSL:

curl -vI https://example.com 2>&1 | grep "expire date"

Output:

*  expire date: Apr 15 23:59:59 2025 GMT

You can also see the start date and issuer:

curl -vI https://example.com 2>&1 | grep -E "expire date|start date|issuer"

cURL's verbose output includes a lot of TLS handshake information. The certificate dates are in the * prefixed lines in the output. This is handy when OpenSSL isn't available but cURL is (common in Docker containers and minimal environments).

Method 5: SSL Monitoring Platforms

Every method above shares the same fatal flaw: they only work when you run them. The certificate that takes your site down isn't the one you checked yesterday -- it's the one you forgot existed on that staging server, or the one a teammate renewed to a different provider without telling anyone.

SSL monitoring platforms solve this by checking continuously and alerting you before expiry:

Understanding Expiry Date Timezones

SSL certificate dates are always stored in UTC (Coordinated Universal Time), also shown as GMT. This matters more than you'd think.

A certificate that shows notAfter=Mar 15 00:00:00 2025 GMT expires at midnight UTC on March 15. If you're in US Pacific time, that's 4:00 PM on March 14. If you're in Tokyo, it's 9:00 AM on March 15.

When planning renewals, always think in UTC. Your 3:00 AM monitoring check in New York is 8:00 AM UTC -- you might discover an expired certificate that technically died hours ago.

Let's Encrypt and 90-Day Certificates

If you use Let's Encrypt (and a lot of the internet does), your certificates expire every 90 days. That's by design -- shorter lifetimes reduce the window of exposure if a private key is compromised.

The expectation is that renewal is automated via Certbot or a similar ACME client. But "automated" doesn't mean "guaranteed":

• Certbot cron jobs break silently after server updates
• DNS validation fails when nameserver configs change
• Rate limits kick in when you have too many subdomains
• Server migrations forget to move the renewal configuration

Auto-renewal is a great first line of defense. It's not a monitoring strategy. You need something watching the result of that automation to confirm it actually worked.

How Often Should You Check?

It depends on your certificate lifecycle:

For any production site, automated daily checks via a monitoring tool are the minimum. Manual checks are fine for development and staging environments where a brief outage isn't catastrophic.

The right answer for most teams: set up monitoring once, get alerts automatically, and only run manual checks when you're debugging a specific issue.

The best time to check your SSL expiry date was a month ago. The second best time is right now.