How to get alerted before your SSL certificate expires

Every HTTPS website runs on an SSL/TLS certificate, and every certificate has an expiry date. Miss it and visitors stop seeing your website — they see a full-page security warning instead. Here's how to know your expiry date and get warned with time to spare.

What actually happens when a certificate expires

When your certificate lapses, browsers stop showing your site and show a full-page warning instead — "Your connection is not private" in Chrome, "Warning: Potential Security Risk Ahead" in Firefox. Most visitors will not click past it; they assume your site is broken or unsafe and leave.

For a business, that's missed enquiries, bookings and sales for every hour the certificate stays expired — and it often runs for hours before anyone notices, because the people who run the site rarely visit their own homepage while logged out.

Why expiry sneaks up on people

Certificates are deliberately short-lived. Let's Encrypt certificates last 90 days; many commercial certificates last a year, and the industry is steadily moving toward shorter lifetimes. Two things make the deadline easy to miss:

• Auto-renewal fails silently. Most modern setups renew automatically, but renewal is a background job that can break — a changed DNS record, a moved web root, an expired card on a paid certificate, a disabled cron job. When it fails, nothing announces it. You find out when the site is already down.
• Nobody owns it. On a small team, the certificate was set up once, by someone, a year ago. There's no calendar reminder and no monitoring. It simply runs out.

How to check your certificate's expiry date

Three quick ways, from easiest to most precise:

1. In your browser

Click the padlock in the address bar → Connection is secure → certificate details. Look for "Valid until" or "Expires on."

2. With a free online checker

Several free tools let you type in a domain and read back the certificate's expiry date and issuer in a couple of seconds. Handy for a one-off check.

3. From the command line

If you're comfortable in a terminal, this prints the exact expiry timestamp:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -enddate

It returns a line like notAfter=Sep 2 12:00:00 2026 GMT — that's your deadline.

Set up tiered expiry alerts

Checking by hand doesn't scale, and it's exactly the kind of thing people forget for months at a time. The durable fix is automated alerts on a tiered schedule, so one missed email isn't fatal:

• 14 days out — plenty of time to renew calmly.
• 7 days out — renew now if you haven't already.
• 3 days / 1 day out — escalate; something is wrong with renewal and needs hands-on attention.

Single-purpose certificate monitors (for example UptimeRobot or TrackSSL) can email you on roughly this schedule and are a perfectly good free option if a certificate check is all you need.

Don't trust auto-renewal on its own

Auto-renewal is good practice — but it is not a replacement for monitoring, because its entire failure mode is being silent. Treat them as two separate jobs: let the certificate auto-renew, and independently watch the live certificate so you find out the moment a renewal didn't take.