Checking the Validity and Expiry of an SSL Certificate

Checking the Validity and Expiry of an SSL Certificate

Amanda Davis

Every SSL Certificate carries a hard expiry date, and the difference between a calm replacement and an emergency outage is simply knowing that date before the browser does. Checking takes under a minute by any of three methods, each suited to a different situation, and together they answer every version of the question.

Checking in the Browser

For any site already live, the browser holds the answer behind the padlock. Click the padlock or site information icon, open the SSL Certificate details, and read the validity period, the covered hostnames, and the issuer.

The browser view suits quick spot checks, with one caveat worth knowing. Desktop browsers repair incomplete chains silently from their cache, so a clean browser check does not prove other devices see the same healthy picture.

Checking with OpenSSL

The command line answers the same question for servers, scripts, and services that no browser visits, including mail servers and internal systems. One command reads the expiry straight from a live endpoint.

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -subject -enddate

The same check works against a local file before installation, which catches an expired or wrong file before it ever reaches a server.

openssl x509 -in yourdomain.crt -noout -subject -enddate

Checking from the Outside

An external scan completes the picture, exercising the connection as a fresh visitor and reporting the expiry alongside the chain, the protocols, and the covered names in one pass. This is the check that catches what browser caching hides. Trustico® provides free checking tools for exactly this purpose. Explore Our Trustico® SSL Tools 🔗

Tip : Check more than the date. The same minute spent on an external scan also confirms the chain is complete and every intended hostname is covered, which are the two problems that surface as emergencies far more often than expiry itself.

With the date in hand, the response depends on how near it sits.

Acting on What the Check Shows

An expiry comfortably distant needs nothing beyond a diary note, with the reminder that maximum validity now runs 200 days under CA/Browser Forum rules, shortening further in the coming years, so the next replacement is always nearer than the old multi-year rhythm suggested.

An expiry approaching within weeks means starting the replacement now, since validation needs time when the reuse window has lapsed. Replacements complete through the tracking system against a fresh Certificate Signing Request (CSR). Learn About Reissuing Your SSL Certificate 🔗

An expiry already passed has its own recovery path, covered step by step separately, and the consequences of leaving it are worth understanding too. Learn About The Critical Risks of Expired SSL Certificates 🔗

Removing the Need to Check at All

Manual checking scales poorly as validity shortens, and the durable answer is issuance that replaces itself. Trustico® provides Certificate as a Service (CaaS) so the expiry date stops being anyone's job to watch. Learn About Certificate as a Service (CaaS) 🔗

Back to Blog

Most Popular Questions

Frequently asked questions covering SSL Certificate validity and expiry checking, including the three checking methods, the desktop browser caching caveat, OpenSSL commands for live endpoints and local files, what to confirm beyond the date, response timing, and Certificate as a Service (CaaS) automation.

Three Methods for Checking an SSL Certificate

The browser suits quick spot checks on any live site, OpenSSL answers the same question for servers, scripts, and services that no browser visits, and an external scan exercises the connection as a fresh visitor. Together the three methods answer every version of the question in under a minute.

The Desktop Browser Caching Caveat

Desktop browsers repair incomplete chains silently from their cache. A clean browser check therefore does not prove that other devices see the same healthy picture, which is exactly what the external scan exists to confirm.

Reading Expiry with OpenSSL

One command reads the expiry straight from a live endpoint, including mail servers and internal systems that no browser visits. The same check works against a local file before installation, which catches an expired or wrong file before it ever reaches a server.

Checking More Than the Date

The same minute spent on an external scan also confirms the chain is complete and every intended hostname is covered. Those two problems surface as emergencies far more often than expiry itself.

Acting on the Date the Check Returns

An expiry comfortably distant needs nothing beyond a diary note, remembering that maximum validity now runs 200 days under CA/Browser Forum rules and shortens further in the coming years. An expiry approaching within weeks means starting the replacement now, since validation needs time when the reuse window has lapsed, and replacements complete through the tracking system against a fresh Certificate Signing Request (CSR).

Removing the Need to Check at All

Manual checking scales poorly as validity shortens, and the durable answer is issuance that replaces itself. Trustico® provides Certificate as a Service (CaaS) so the expiry date stops being anyone's job to watch.

Stay Updated - Our RSS Feed

There's never a reason to miss a post! Subscribe to our Atom/RSS feed and get instant notifications when we publish new articles about SSL Certificates, security updates, and news. Use your favorite RSS reader or news aggregator.

Subscribe via RSS/Atom