How to Check SSL Certificate Expiry (and Never Get Caught Out)
An expired certificate takes a whole site down in an instant, and the fix is always "we forgot to renew." Here is how to see the expiry date and how to stop it surprising you.
From the command line
# Print notBefore / notAfter for a live server
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -dates
# Days remaining, scriptable
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -enddate
On Windows PowerShell:
$c = [Net.Sockets.TcpClient]::new('example.com',443)
$s = [Net.Security.SslStream]::new($c.GetStream())
$s.AuthenticateAsClient('example.com')
$s.RemoteCertificate.GetExpirationDateString()
The 30-day rule
Public certificates are getting shorter-lived — the CA/Browser Forum has agreed to reduce maximum lifetimes toward 47 days by 2029. Manual renewal cannot keep up, so:
| Lifetime | Renew at | Approach |
|---|---|---|
| 90 days (Let's Encrypt) | day 60 | automated ACME |
| 1 year | 30 days before | automation + alerting |
Set monitoring to alert at 30 days remaining, the same threshold our SSL checker flags in amber. The durable fix is automation — see ACME and Let's Encrypt.
Tip: Check the certificate actually served by the edge (CDN/load balancer), not just your origin — they can differ.