Check SSL Certificate Expiry Online: Quick Methods That Work

Why SSL Certificate Expiry Actually Matters

In 2024, the average cost of an SSL-related outage for an e-commerce site exceeded $5,000 per hour in lost revenue. Browser vendors are unforgiving: when a certificate expires, Chrome displays a full-screen red warning reading "Your connection is not private" with no easy way for users to proceed. Google Search Console treats HTTPS failures as a crawl error, and your rankings can drop within days of an expired cert.

The root cause of most SSL expiry incidents is not negligence - it is the absence of a monitoring system. Teams renew certificates manually, renewals slip off the calendar, and automated renewal scripts silently fail with no alerting. The fix is a combination of knowing how to check expiry on demand and building automation to never need a manual check in the first place.

SSL certificates have also gotten shorter. As of 2026, maximum certificate validity is 398 days (enforced by all major browsers). Let's Encrypt issues 90-day certificates. That means if you have more than a handful of domains, tracking expiry manually is essentially impossible at scale.

Method 1: Check SSL Expiry via Your Browser (30 Seconds)

For a one-off check on any public domain, your browser is the fastest tool available. No terminal, no tools needed.

1. Open the site in Chrome, Firefox, or Edge.
2. Click the padlock icon (or the connection icon) in the address bar.
3. Click "Connection is secure" → "Certificate is valid".
4. The certificate details panel shows Valid from and Valid to dates.

On Chrome 117+, the padlock was replaced with a tune icon. The path is: tune icon → "Connection is secure" → "Certificate is valid". The resulting dialog shows the full certificate chain, issuer (e.g., Let's Encrypt, DigiCert, Sectigo), and exact expiry timestamp.

This method works for any publicly accessible HTTPS site. For internal domains, staging environments, or servers behind a firewall, you need a command-line approach.

Method 2: Check SSL Expiry with openssl s_client (Most Reliable)

The openssl command-line tool is available on every Linux, macOS, and most Windows (via WSL or Git Bash) system. It connects directly to the server and retrieves the certificate, bypassing CDN layers like Cloudflare to show you the origin certificate.

Basic expiry check

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -dates

Example output:

notBefore=Mar 10 12:00:00 2026 GMT
notAfter=Jun  8 11:59:59 2026 GMT

The -servername flag enables SNI (Server Name Indication), which is critical for servers hosting multiple domains on a single IP. Without it you may get the wrong certificate.

Get just the expiry date

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -enddate

Check a certificate file on disk

openssl x509 -noout -dates -in /etc/letsencrypt/live/example.com/cert.pem

Check days remaining (scripting-friendly)

EXPIRY=$(echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s 2>/dev/null || date -j -f "%b %d %T %Y %Z" "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))
echo "Days until expiry: $DAYS_LEFT"

The date -d syntax works on Linux (GNU date). On macOS, use date -j -f as shown. This distinction matters when writing portable monitoring scripts.

Method 3: Check SSL Expiry with curl

If openssl feels verbose, curl offers a cleaner one-liner for checking whether a certificate is valid and seeing its expiry in the response headers:

curl -vI https://example.com 2>&1 | grep -E "expire|SSL|issuer|subject"

For a machine-readable expiry date specifically:

curl -vI --stderr - https://example.com | grep "expire date"

Example output:

*  SSL certificate verify ok.
*  expire date: Jun  8 11:59:59 2026 GMT

curl is particularly useful in CI/CD pipelines where openssl may not be installed but curl is guaranteed to be present (it ships with virtually every base Docker image).

To fail a pipeline if a certificate expires within 30 days, add this check to your CI script:

EXPIRY=$(curl -vI --stderr - https://example.com 2>&1 | grep "expire date" | awk '{print $4,$5,$6,$7,$8}')
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
DAYS_LEFT=$(( (EXPIRY_EPOCH - $(date +%s)) / 86400 ))
if [ "$DAYS_LEFT" -lt 30 ]; then
  echo "WARNING: SSL cert expires in $DAYS_LEFT days"
  exit 1
fi

Method 4: Use an Online SSL Checker Tool

Online SSL checker tools are the fastest option when you do not have terminal access or need to check multiple domains quickly. They retrieve the live certificate from the server and display all relevant details: expiry date, issuer, subject alternative names (SANs), certificate chain, and whether the cert is trusted by major browsers.

Our SSL Checker at SecureBin.ai checks any public domain and returns:

• Certificate validity period (not before / not after)
• Days remaining until expiry
• Certificate issuer and CA chain
• Subject Alternative Names (all domains the cert covers)
• Whether the certificate chain is complete and trusted
• TLS protocol version and cipher suite

This is particularly useful for checking SSL on domains where you do not control the server, such as third-party integrations, partner APIs, or customer-facing subdomains managed by another team.

Method 5: Automate SSL Expiry Checks with Cron

The most robust approach is automated daily monitoring that alerts you when a certificate is within a threshold of expiry. Here is a complete bash script you can drop on any Linux server:

#!/bin/bash
# ssl-check.sh - alerts when cert expires within THRESHOLD days
DOMAINS=("example.com" "api.example.com" "staging.example.com")
THRESHOLD=30
ALERT_EMAIL="ops@example.com"

for DOMAIN in "${DOMAINS[@]}"; do
  EXPIRY=$(echo | openssl s_client -connect "$DOMAIN:443" -servername "$DOMAIN" 2>/dev/null \
    | openssl x509 -noout -enddate | cut -d= -f2)

  if [ -z "$EXPIRY" ]; then
    echo "ERROR: Could not retrieve cert for $DOMAIN" | mail -s "SSL Check Failed: $DOMAIN" "$ALERT_EMAIL"
    continue
  fi

  EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
  DAYS_LEFT=$(( (EXPIRY_EPOCH - $(date +%s)) / 86400 ))

  if [ "$DAYS_LEFT" -lt "$THRESHOLD" ]; then
    echo "SSL cert for $DOMAIN expires in $DAYS_LEFT days ($EXPIRY)" \
      | mail -s "SSL EXPIRY WARNING: $DOMAIN ($DAYS_LEFT days)" "$ALERT_EMAIL"
  fi
done

Schedule this to run daily at 8 AM with cron:

0 8 * * * /usr/local/bin/ssl-check.sh >> /var/log/ssl-check.log 2>&1

Use our Crontab Generator to build the exact cron expression you need, or our Cron Parser to verify an existing schedule.

Method 6: Let's Encrypt and Auto-Renewal

If you use Let's Encrypt (the free CA behind most modern SSL certificates), your certificates are 90-day certs renewed automatically by certbot. However, "automatic" does not mean "guaranteed" - renewal failures are silent by default unless you configure alerting.

Verify certbot auto-renewal is working

# Check the certbot timer is active (systemd)
systemctl status certbot.timer

# Perform a dry-run renewal to test without making changes
certbot renew --dry-run

# List all certificates and their expiry dates
certbot certificates

Example output of certbot certificates:

Found the following certs:
  Certificate Name: example.com
    Domains: example.com www.example.com
    Expiry Date: 2026-06-08 11:59:59+00:00 (VALID: 73 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

Configure renewal failure alerting

Add a post-hook to reload the web server after renewal and a pre-hook to test renewal health:

# /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
#!/bin/bash
systemctl reload nginx

For email alerts on renewal failure, add to /etc/letsencrypt/cli.ini:

email = ops@example.com
post-hook = systemctl reload nginx

Method 7: Monitoring with Nagios and Zabbix

For production infrastructure with many domains, dedicated monitoring tools provide SSL expiry checks as a first-class feature.

Nagios / Icinga2

The check_http plugin with the -C flag checks SSL expiry directly:

# Alert if cert expires within 30 days (warning) or 14 days (critical)
/usr/lib/nagios/plugins/check_http -H example.com -p 443 --ssl -C 30,14

This integrates into your existing Nagios/Icinga2 alert routing, so SSL expiry warnings appear in PagerDuty, Slack, or email alongside your other infrastructure alerts.

Zabbix

Zabbix includes a built-in web scenario that can monitor SSL certificate validity. Create a web scenario for each domain, set the SSL certificate expiry trigger to alert at 30 days, and the check runs on your configured interval automatically.

For teams already running Prometheus, the blackbox_exporter exposes an probe_ssl_earliest_cert_expiry metric (Unix timestamp of expiry) that you can alert on with a Grafana rule:

# Prometheus alert rule
- alert: SSLCertExpiringSoon
  expr: (probe_ssl_earliest_cert_expiry - time()) / 86400 < 30
  for: 1h
  labels:
    severity: warning
  annotations:
    summary: "SSL cert for {{ $labels.instance }} expires in {{ $value | humanizeDuration }}"

Real-World Example: What an Expiry Looks Like

Here is exactly what happens when you run the openssl check on an expired certificate versus a healthy one:

# Healthy certificate
echo | openssl s_client -connect securebin.ai:443 -servername securebin.ai 2>/dev/null \
  | openssl x509 -noout -dates

notBefore=Mar 10 12:00:00 2026 GMT
notAfter=Jun  8 11:59:59 2026 GMT

# Expired certificate - verify return code reveals the problem
echo | openssl s_client -connect expired.badssl.com:443 2>/dev/null \
  | openssl x509 -noout -dates

notBefore=Apr  9 00:00:00 2015 GMT
notAfter=Apr 12 23:59:59 2015 GMT

# Verify return code: 10 (certificate has expired)

The verify return code 10 is openssl's way of flagging an expired cert. In a monitoring script, you can capture this code and trigger an alert even before calculating days remaining.

Frequently Asked Questions

How do I check SSL expiry for a domain I don't control?

Use an online SSL checker tool or run openssl s_client against the domain's public IP. Both methods retrieve the live certificate without requiring server access. Our SSL Checker works for any publicly accessible domain and shows the full certificate chain, not just the leaf certificate.

How often should I check SSL certificate expiry?

For production domains, automated daily checks are the standard. Set alert thresholds at 30 days (warning) and 14 days (critical). For Let's Encrypt certificates with 90-day validity, a 30-day warning gives you three weeks to resolve renewal failures before users are affected.

Why does my SSL certificate show as expired even after renewal?

The most common cause is a CDN or load balancer caching the old certificate. After renewing, you must reload or restart the web server (nginx, Apache) so it reads the new certificate files. If you are behind Cloudflare or AWS CloudFront, those layers serve their own cached certificate and may need purging or re-verification separately.

What is the difference between SSL and TLS?

SSL (Secure Sockets Layer) is the deprecated predecessor to TLS (Transport Layer Security). All modern "SSL certificates" are actually TLS certificates, and all modern connections use TLS 1.2 or TLS 1.3. The term "SSL certificate" persists purely by convention. SSLv2, SSLv3, TLS 1.0, and TLS 1.1 are all deprecated and disabled by default in current server software.

Can I check SSL expiry for an internal server or IP address?

Yes, with openssl s_client you can connect directly to an IP address and optionally specify the hostname for SNI:

echo | openssl s_client -connect 192.168.1.10:443 -servername internal.example.com 2>/dev/null \
  | openssl x509 -noout -dates

Online tools cannot reach internal servers, so the command-line approach is the only option for private infrastructure.

What happens to SEO when an SSL certificate expires?

Google's crawlers respect HTTPS errors. When Googlebot encounters a certificate error it cannot bypass, the page is treated as inaccessible. If your certificate expires and is not renewed quickly, pages can drop out of the index. Additionally, any backlinks or traffic pointing to your domain will result in browser security warnings, causing a spike in bounce rate that Google's ranking signals will register. Renewing within hours of expiry minimises SEO damage; multi-day outages can take weeks to recover from.

Does Let's Encrypt renew automatically?

Certbot installs a systemd timer (or cron job) that attempts renewal twice daily when the certificate is within 30 days of expiry. However, renewal can fail silently due to DNS changes, firewall rules blocking port 80 (HTTP-01 challenge), or misconfigured web roots. Always run certbot renew --dry-run after any infrastructure change and set up email alerts via /etc/letsencrypt/cli.ini.

Summary: SSL Expiry Check Methods at a Glance

• Browser padlock: Fastest for one-off checks on public sites. No tools needed.
• openssl s_client: Most reliable and scriptable. Works for any host including internal servers.
• curl -vI: CI/CD-friendly one-liner. Available in virtually all Docker base images.
• Online SSL checker: Best for third-party domains and non-technical team members.
• Cron + openssl script: Automated daily monitoring with email alerts. Free and self-hosted.
• Nagios / Zabbix / Prometheus: Enterprise-grade monitoring integrated with existing alert routing.
• Let's Encrypt + certbot: Auto-renewing 90-day certificates. Pair with --dry-run testing and alerts for renewal failures.

The right combination depends on your scale: a personal project is fine with a daily cron script and email. A production platform serving thousands of users needs Prometheus metrics, PagerDuty integration, and Let's Encrypt auto-renewal with verified post-renewal hooks.

Use our free tool here → SecureBin SSL Checker - check any domain's certificate in seconds, no login required.