` reads). %> How to Check Your SSL Certificate's Expiration Date | TLS Radar Skip to main content
troubleshooting 3 min read By TLS Radar Team

How to Check Your SSL Certificate's Expiration Date

Checking when your SSL certificate expires is a small task that prevents a large class of outages. This guide covers four ways to check, from quickest (a single shell command) to most thorough (continuous monitoring that watches every certificate across all your domains).

Method 1: One-line shell command

Fastest. Works on any system with OpenSSL installed (macOS, most Linux distributions, Windows with WSL). 

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Output looks like: 

notBefore=Apr  3 00:00:00 2026 GMT
notAfter=Jul  2 23:59:59 2026 GMT

The notAfter date is your expiration. If it's already in the past, your certificate is expired.

For just the expiration date in a more human format: 

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate

Method 2: Days until expiration

If you want to know exactly how many days are left: 

expiry=$(echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
expiry_epoch=$(date -d "$expiry" +%s)
now_epoch=$(date +%s)
echo "$(( (expiry_epoch - now_epoch) / 86400 )) days until expiry"

Useful for ad-hoc audits. Drop the command in a script if you want to spot-check a list of domains.

Method 3: Online checkers

If you don't have a terminal handy, several free web tools work:

  • Qualys SSL Labs - most comprehensive. Checks expiration plus dozens of other configuration issues. Takes about a minute.
  • SSLshopper - quicker, simpler. Just expiration and basic chain info.
  • This site's free scanner - checks expiration and the full set of failure modes (chain, cipher, hostname, revocation, vulnerabilities).

Method 4: Continuous monitoring (the real fix)

Manually checking certificates is fine for one-off audits. For ongoing visibility, continuous monitoring catches what manual checks miss. The reasons it matters:

  • You forget. If checking expiration is a manual task, you'll skip it during busy weeks. The renewal slips. The outage happens.
  • You don't know all your certificates. Most teams underestimate their certificate count by 2–3x. Marketing subdomains, internal admin tools, mobile app certificate pins, vendor-managed endpoints - they all have certificates that nobody on your team is consciously tracking.
  • Expiry isn't the only failure mode. Chain breaks, weak ciphers, hostname mismatches, revocations - these all break SSL without changing the expiration date. Manual expiry checks miss them entirely.

Stop this from happening again

TLS Radar continuously monitors every certificate across your domains and alerts you weeks before anything expires, and also catches the silent failure modes (chain breaks, weak ciphers, hostname mismatches) that expiry-only monitoring misses. Built for solo developers monitoring a handful of sites and for enterprise teams managing thousands of certificates across multiple environments.

Sign Up Talk to us about enterprise solutions

Where the expiration date lives

Some quick reference for what you're actually checking:

  • Every X.509 certificate has a notBefore and notAfter field - the validity window.
  • Once notAfter is in the past, browsers reject the connection with "your certificate has expired."
  • Validity periods are shrinking. By March 2027, the maximum public-cert validity drops to 100 days (down from 397 in 2024). By March 2029, it drops to 47 days. The renewal cadence is getting tighter - manual tracking gets correspondingly harder.

What to check besides expiration

Once you're looking at a certificate, here are five other things worth checking while you have it open:

  • Chain length - should be 2 or 3 certificates (leaf + intermediate + sometimes root). A bare leaf means missing intermediates.
  • SAN list - confirm every hostname you serve is on the list. openssl x509 -noout -text | grep -A1 "Subject Alternative Name".
  • Issuer - confirm it's a CA you actually use. Anything unexpected here is worth investigating.
  • Cipher and protocol - confirm TLS 1.2 minimum, no weak ciphers. nmap --script ssl-enum-ciphers -p 443 example.com.
  • OCSP / revocation status - confirm the certificate hasn't been revoked since issuance.

Related reading

Get the next post in your inbox

TLS monitoring tips and product updates. No spam, unsubscribe anytime.

Keep reading

guides 2 min

How to Prevent SSL Certificate Expiration Downtime
guides 2 min

What Is SSL/TLS Certificate Monitoring and Why Does It Matter?
outage-prevention 7 min

The True Cost of a TLS Outage (And Why Calendars Won't Save You)

Comparing tools? See how TLS Radar stacks up against DigiCert and SSL.com.