How to Check Your SSL Certificate Expiry Date (And Set Up Alerts)

Why SSL Expiry Causes Hard Outages

When an SSL certificate expires, browsers do not give visitors a warning and let them proceed - they show a hard error screen that most users will not bypass. Chrome displays "Your connection is not private." Firefox shows "Warning: Potential Security Risk Ahead." Both block the user from reaching the site by default. Your analytics drop to zero. Customers cannot check out. No degraded mode, no fallback - just a wall.

This happens to large companies regularly. Spotify, LinkedIn, and even Microsoft have had certificate expiry incidents. The cause is almost always the same: a certificate was manually provisioned, the renewal was someone's responsibility, and it fell through the cracks. The fix is removing the human from the loop.

How to Check Your SSL Certificate Expiry

From a browser

Click the padlock icon in your browser's address bar when visiting your site. In Chrome, click "Connection is secure" then "Certificate is valid." You will see the expiry date. This works but only shows you the certificate your browser negotiated - it may not show you certificates for subdomains, or details about the full chain.

From the command line

On Mac or Linux, openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates returns the notAfter date - your expiry. This works for any domain you can reach and does not require any special tools beyond openssl, which is installed by default on most systems.

From a tool

The Queldrex SSL Inspector opens a real TLS handshake to your server - the same process a browser performs - and returns the full certificate details: expiry date, issuer, all domains on the certificate (Subject Alternative Names), the TLS version negotiated, and the cipher suite. It shows you exactly what a browser sees, not a cached or third-party-stored result. Enter your domain and get the full picture in a few seconds.

What the Results Mean

Days until expiry

If you have more than 60 days: you are fine, but set a calendar reminder.
30-60 days: time to renew. If you are on auto-renewal, verify it is actually configured.
Under 30 days: renew immediately. Do not wait for it to process over a weekend.
Expired: your site is broken for most users right now.

TLS version

TLS 1.3 is the current standard. TLS 1.2 works but is aging. TLS 1.0 and 1.1 are deprecated - modern browsers reject connections that only support these older versions. If your server is still offering TLS 1.0 or 1.1, this should be a configuration fix priority even if the cert itself is valid.

Certificate chain

SSL certificates are issued by a Certificate Authority (CA) that chains up to a root certificate your browser trusts. An incomplete chain - where an intermediate certificate is missing - causes errors on some devices even if the cert itself is valid. The SSL Inspector will flag this if detected.

Subject Alternative Names

Modern certificates cover multiple domains in a single cert using SANs. Make sure www.yourdomain.com and yourdomain.com are both covered. If you have subdomains with sensitive content (app, api, mail), they should have their own certs or be covered by a wildcard cert (*.yourdomain.com).

Making Sure It Never Expires Again

Use Let's Encrypt with auto-renewal

Let's Encrypt issues free 90-day certificates that auto-renew 60 days before expiry when configured correctly. Most hosting platforms - Vercel, Netlify, Cloudflare, DigitalOcean App Platform - handle this automatically. If your infrastructure supports certbot, configure it to run on a cron job: 0 0 * * * /usr/bin/certbot renew --quiet.

For managed hosting

Vercel, Netlify, and Cloudflare all provision and auto-renew SSL certificates for custom domains automatically. If you are on one of these platforms and your cert expired, something is wrong with your domain DNS configuration - the cert cannot be reissued because the provider cannot verify domain ownership. Check your DNS records and make sure the domain is properly pointed.

For commercial certs

If you purchased a certificate from DigiCert, Comodo, or another commercial CA, renewal is manual by default. Most CAs send reminder emails at 60, 30, and 7 days before expiry. Make sure those emails go to a monitored inbox, not a shared alias where they get buried. Set a recurring calendar event one month before your cert's annual expiry date as a backup.

Monitor it

Even with auto-renewal configured, verify it works. After your next renewal, check that the new cert was actually issued and that the expiry date in the SSL Inspector is updated. Many developers set up auto-renewal and then discover months later that it silently failed due to a DNS change or permission issue. A monthly check takes 10 seconds and catches failures before they become outages.