Every SSL certificate states, to the second, when it stops being valid. Browsers enforce that moment ruthlessly — one second past and visitors get a warning page instead of your site — so knowing the date, and knowing it early, is the whole game. Publicly trusted certificates last at most 398 days and free Let’s Encrypt certificates just 90, which means expiry dates come around often. Here are four reliable ways to check one, from quickest to most thorough.
1. In your browser (any site, two clicks)
Browsers will show you the certificate of the site you are on:
- Chrome / Edge: click the icon at the left of the address bar (a tune/lock symbol) → Connection is secure → Certificate is valid. The viewer shows issued and expiry dates.
- Firefox: padlock → Connection secure → More information → View certificate. The Validity section lists “Not After” — the expiry.
- Safari: click the padlock → Show certificate.
This is perfect for a one-off look, with two limitations: you see the certificate your browser negotiated (which may come from a CDN edge near you), and nothing about it is monitored — you would have to remember to look again.
2. With the SSL Studio expiry checker (any domain, no install)
Our SSL expiry checker reads the certificate directly from the
server and answers the question in its first line: “Expires in 42 days — 15 August
2026”, as a countdown with the exact date. Because it runs the full
certificate check behind the countdown, it will also tell you if something
other than expiry needs attention — a name mismatch or an incomplete chain will not hide
behind a healthy number of days. Switch to Tech mode and you get the raw
Not Before/Not After timestamps, the SAN list, the chain and
fingerprints — useful when you need to quote exact values in a ticket.
It also checks domains you do not control — handy before pointing an integration at a third-party API, or when a supplier’s “SSL problem” needs a neutral second opinion.
3. With OpenSSL (command line, scriptable)
To read the dates straight from a live server:
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null \
| openssl x509 -noout -dates Output:
notBefore=May 17 09:14:22 2026 GMT
notAfter=Aug 15 09:14:21 2026 GMT
The -servername flag matters: it sets SNI, so a server hosting many sites returns
the certificate for the right one. Two more variants earn their keep in scripts:
# Fail (non-zero exit) if the cert expires within 30 days — ideal for cron:
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null \
| openssl x509 -noout -checkend 2592000
# Read a certificate file on disk instead:
openssl x509 -noout -enddate -in /etc/ssl/certs/example.pem
On Windows without OpenSSL, PowerShell can do the same via
[Net.Sockets.TcpClient]/SslStream, though installing OpenSSL is
usually less code.
4. Continuously, with monitoring
Checks one to three share a weakness: they happen when you remember. The durable answer is a
monitor that checks daily and alerts at thresholds (30, 14, 7 days) — via your uptime
monitoring, a cron job around openssl -checkend, or your certificate platform’s
own notifications (Let’s Encrypt emails expiry warnings to registered addresses when renewal
has not happened). Alert thresholds should assume automation exists and has failed: with
ACME renewing at 30 days out, an alert at 21 days means “the robot missed two attempts” —
early enough to fix calmly. The background on why automation occasionally stops is covered in
why certificates expire.
Reading the result well
- Check every name users visit.
example.comandwww.example.comcan be served by different certificates with different expiry dates — check both, and any app or API subdomains. Wildcard vs SAN certificates explains how coverage is structured. - Mind the pool. Load-balanced servers can hold different certificates; if one node was missed during renewal, checks will pass or fail depending on which node answers. Repeat the check if results look inconsistent.
- Times are UTC. Certificate timestamps are GMT/UTC — a certificate “expiring today” may have hours left or none depending on your timezone. The countdown view does this arithmetic for you.
- Renewed but still warning? The old certificate is probably still being served — reload the web server, and check CDN or load balancer certificate slots. A re-run of the checker confirms the swap the moment it lands.
However you check, the goal is the same: make expiry boring. Automate renewal, monitor externally, and keep a bookmark to the expiry checker for the days when you need the answer in five seconds.