Check SSL Certificate Expiry Date
Learn how to check an SSL certificate's expiry date to prevent outages. Understand Not Before and Not After fields, renewal timelines, and automated monitoring strategies.
Detailed Explanation
Checking Certificate Expiration
Every SSL/TLS certificate has a built-in expiration date encoded in two X.509 fields:
- Not Before — the earliest date the certificate is considered valid
- Not After — the date after which the certificate is no longer trusted
When a certificate expires, browsers display security warnings and refuse to establish HTTPS connections. For APIs and backend services, expired certificates cause TLS handshake failures that break integrations silently.
Reading Expiry from a Decoded Certificate
When you decode a certificate, look for the Validity section:
Validity
Not Before: Jan 1 00:00:00 2024 GMT
Not After : Dec 31 23:59:59 2024 GMT
The timestamps are in UTC. The certificate is only valid during this window. Connections attempted before Not Before or after Not After will fail validation.
Certificate Lifetimes
Certificate lifetimes have shortened significantly over the years:
| Era | Maximum Lifetime |
|---|---|
| Before 2015 | 5 years |
| 2015–2018 | 3 years |
| 2018–2020 | 2 years |
| 2020–present | 398 days (approximately 13 months) |
Let's Encrypt certificates are valid for only 90 days, encouraging automated renewal. The industry trend is moving toward even shorter lifetimes to reduce the window of exposure if a private key is compromised.
Monitoring Expiration
Relying on manual checks is error-prone. Best practices include:
- Automated certificate management — tools like certbot auto-renew Let's Encrypt certificates
- Monitoring alerts — set up alerts at 30, 14, and 7 days before expiry
- Certificate inventory — maintain a list of all certificates, their domains, and expiry dates
- CI/CD checks — add certificate expiry checks to deployment pipelines
Checking Remotely
You can check a live server's certificate expiry without having the PEM file:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
This connects to the server, retrieves the certificate, and prints only the validity dates.
Grace Period Misconception
There is no grace period after expiration. The moment the clock passes the Not After timestamp, the certificate is invalid. Browsers and TLS libraries enforce this strictly.
Use Case
Check the expiry date of your SSL certificates regularly to schedule renewals before they expire and avoid downtime, broken API integrations, or browser security warnings that drive users away.