Web & DNS

How to Check Your SSL Certificate Before It Expires

An expired SSL certificate takes your site offline and destroys visitor trust instantly. Here is how to check expiry dates, read certificate details, and set up renewal reminders.

How to Check Your SSL Certificate Before It Expires

When an SSL certificate expires, browsers display a full-screen warning blocking visitors from accessing your site. Certificate Authority Browser Forum (CA/B Forum) policies now mandate maximum certificate validity of 398 days meaning certificates must be renewed at least annually. Check any domain's certificate right now with the free SSL Certificate Checker.

What an SSL Certificate Contains

Every SSL/TLS certificate includes several fields that matter for trust and functionality:

  • Common Name (CN) the primary domain the certificate is issued for
  • Subject Alternative Names (SANs) additional domains or subdomains covered
  • Issuer the Certificate Authority (Let's Encrypt, DigiCert, Comodo, etc.)
  • Valid From / Valid To the validity window
  • Signature Algorithm should be SHA-256 or newer; SHA-1 is deprecated

How to Read Your Certificate's SANs

Modern certificates cover multiple domains via Subject Alternative Names. A certificate with SANs for example.com and www.example.com covers both. Wildcard certificates (*.example.com) cover all first-level subdomains but not the root domain or deeper subdomains. The SSL Checker lists all SANs so you can verify coverage.

Setting Up SSL Renewal Before Expiry

Best practices for certificate management:

  • Set a calendar reminder 30 and 60 days before expiry
  • Use Let's Encrypt with Certbot for free automatic renewal on Linux servers
  • Enable auto-renewal in your hosting control panel if available
  • Monitor certificate expiry via your Site Status checks

Common SSL Certificate Problems

  • Certificate expired renew immediately; check if auto-renewal failed
  • Domain mismatch the certificate was issued for a different domain than the one being accessed
  • Untrusted issuer self-signed certificate or a CA not in the browser's trust store
  • Mixed content HTTPS page loading HTTP resources; use your browser's developer tools to identify
  • Incomplete chain intermediate certificates missing from the server configuration

Frequently Asked Questions

How do I check my SSL certificate expiry date?

Enter your domain in the SSL Certificate Checker to see the exact expiry date, issuer, SANs, and days remaining. Alternatively, in Chrome, click the padlock icon → Connection is secure → Certificate is valid.

What happens when an SSL certificate expires?

Browsers immediately display a full-page "Your connection is not private" warning. Visitors cannot proceed without manually overriding the warning most will leave. Search engines may temporarily demote the site. The Mozilla CA Certificate Policy governs how browsers handle expired certificates.

Is a free Let's Encrypt certificate as trustworthy as a paid one?

Yes. Let's Encrypt is a trusted Certificate Authority recognised by all major browsers. The difference between free DV certificates and paid OV/EV certificates is the level of organisation verification performed not the encryption strength.

Related

Keep reading

Mar 15, 2026 DNS Records Explained: A, AAAA, MX, NS, TXT, CNAME and More DNS records control everything from where your website lives to whether your emails get delivered. Here is what each record type does and when you need to change it. Mar 19, 2026 What Is a DMARC Record? How to Check and Fix Yours Without a DMARC record, anyone can send email pretending to be from your domain. Here is what DMARC does, how to check your current policy, and how to fix it. Mar 27, 2026 SPF, DKIM, and DMARC: Email Authentication Explained SPF, DKIM, and DMARC work together to prevent email spoofing and improve deliverability. Here is how each one works and how to check your current setup.