How to Check SSL Certificate Expiry Date Using OpDeck's Tool

If you need to check SSL certificate expiry date quickly, you have more options than you might think — from browser clicks to command-line tools to dedicated online checkers. This guide walks you through every practical method, explains what the expiry information actually means, and shows you how to stay ahead of certificate renewals so your site never goes dark with a dreaded "Your connection is not private" warning.

Why SSL Certificate Expiry Dates Matter

An expired SSL certificate doesn't just break the padlock icon in your browser bar. It actively blocks visitors from reaching your site. Modern browsers display full-page security warnings that most users won't click past, which means expired certificates translate directly into lost traffic, lost revenue, and damaged trust.

Certificate expiry is also a compliance concern. If your site handles payments, personal data, or any regulated information, an expired certificate can put you in violation of PCI-DSS, HIPAA, or GDPR requirements. Auditors look at certificate validity as a basic hygiene check.

The good news: checking expiry is fast and free. The challenge is doing it consistently across all your domains, subdomains, and environments — especially when you're managing more than a handful of sites.

How to Check SSL Certificate Expiry Date in a Browser

The quickest way to check an SSL certificate expiry date for a site you're actively browsing is right inside your browser. No tools required.

Chrome

Navigate to the website you want to check.
Click the padlock icon (or the "Tune" icon in newer Chrome versions) in the address bar.
Click Connection is secure.
Click Certificate is valid.
A popup appears showing the certificate details, including the Valid from and Valid to dates.

The "Valid to" date is your expiry date. If it's within the next 30 days, start your renewal process immediately.

Firefox

Go to the site and click the padlock icon in the address bar.
Click Connection secure, then More information.
In the Page Info window, click View Certificate.
Firefox opens a dedicated certificate viewer tab showing the Validity section with Not Before and Not After dates.

Safari (macOS)

Click the padlock icon in the address bar.
Click Show Certificate.
Expand the certificate details to find the expiry date under the Validity Period section.

Browser inspection is convenient for a quick one-off check, but it only works for sites you can actively visit. It won't help you audit multiple domains at scale or check certificates on servers that aren't yet publicly accessible.

How to Check SSL Certificate Expiry Date Using the Command Line

If you're a developer or sysadmin, the command line gives you precise, scriptable access to certificate details. Here are the most reliable methods.

Using OpenSSL

OpenSSL is the gold standard for certificate inspection. It's available on Linux, macOS, and Windows (via WSL or Git Bash).

Check expiry for a live domain:

echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

This outputs two lines:

notBefore=Jan  1 00:00:00 2024 GMT
notAfter=Jan  1 00:00:00 2025 GMT

The notAfter value is your expiry date.

Check just the expiry date (cleaner output):

echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -enddate

Check a local certificate file:

If you have the certificate file on disk (.crt, .pem, or .cer), you don't need a live connection:

openssl x509 -noout -enddate -in /path/to/your/certificate.crt

Check how many days until expiry:

This one-liner calculates the number of days remaining:

echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -checkend 0 && echo "Certificate is valid" || echo "Certificate has expired"

To check if the certificate will expire within the next 30 days (2592000 seconds):

echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -checkend 2592000

If the exit code is 0, the certificate is still valid beyond that window. If it's 1, it will expire within 30 days.

Using curl

curl can also retrieve certificate information with the right flags:

curl -vI --silent https://yourdomain.com 2>&1 | grep -E "expire|start date|SSL"

For a cleaner output focused on expiry:

curl -vI https://yourdomain.com 2>&1 | grep "expire date"

Using nmap

nmap's ssl-cert script gives detailed certificate information:

nmap --script ssl-cert -p 443 yourdomain.com

Look for the Not valid after field in the output.

Automating SSL Expiry Checks with a Shell Script

Manually running commands works for occasional checks, but if you manage multiple domains, automation is the only sane approach. Here's a simple bash script that checks expiry dates across a list of domains and alerts you when any certificate is within 30 days of expiry.

#!/bin/bash

DOMAINS=("yourdomain.com" "subdomain.yourdomain.com" "anotherdomain.com")
THRESHOLD_DAYS=30
THRESHOLD_SECONDS=$((THRESHOLD_DAYS * 86400))

for DOMAIN in "${DOMAINS[@]}"; do
  EXPIRY=$(echo | openssl s_client -servername "$DOMAIN" -connect "$DOMAIN:443" 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
  
  if [ -z "$EXPIRY" ]; then
    echo "WARNING: Could not retrieve certificate for $DOMAIN"
    continue
  fi

  EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s 2>/dev/null || date -j -f "%b %d %T %Y %Z" "$EXPIRY" +%s)
  NOW_EPOCH=$(date +%s)
  DIFF=$(( EXPIRY_EPOCH - NOW_EPOCH ))
  DAYS_LEFT=$(( DIFF / 86400 ))

  if [ "$DIFF" -lt "$THRESHOLD_SECONDS" ]; then
    echo "ALERT: $DOMAIN expires in $DAYS_LEFT days ($EXPIRY)"
  else
    echo "OK: $DOMAIN expires in $DAYS_LEFT days ($EXPIRY)"
  fi
done

Save this as check-ssl.sh, make it executable with chmod +x check-ssl.sh, and schedule it via cron to run daily:

0 8 * * * /path/to/check-ssl.sh >> /var/log/ssl-check.log 2>&1

You can extend this script to send email alerts using mail or integrate with Slack via webhook when a certificate is approaching expiry.

How to Check SSL Certificate Expiry Date with OpDeck

Command-line tools are powerful but require setup, technical knowledge, and ongoing maintenance. For a fast, visual, no-setup-required alternative, OpDeck's SSL Certificate Checker gives you complete certificate information in seconds — no terminal required.

Step-by-Step: Using OpDeck's SSL Checker

Step 1: Open the tool

Navigate to https://www.opdeck.co/tools/ssl. No account or login is required.

Step 2: Enter your domain

Type your domain name into the input field. You can enter just the domain (e.g., yourdomain.com) without the https:// prefix. The tool handles the connection automatically.

Step 3: Run the check

Click the Check button. The tool connects to your server over port 443 and retrieves the full certificate chain.

Step 4: Review the results

The results panel displays:

Expiry date — the exact date and time your certificate expires, displayed prominently
Days remaining — a clear countdown so you don't have to do date math
Certificate issued to — confirms the certificate covers the domain you checked (important for catching misconfigured certs)
Issued by — the Certificate Authority (CA) that signed the certificate (e.g., Let's Encrypt, DigiCert, Sectigo)
Valid from — when the certificate became active
Certificate chain — whether the full chain is correctly configured, which matters for older clients and some mobile browsers
SANs (Subject Alternative Names) — all the domains and subdomains the certificate covers

What the Results Tell You

Days remaining is the number you care about most. Here's a practical interpretation guide:

90+ days remaining: You're in good shape. No action needed.
30–90 days remaining: Plan your renewal. Most CAs allow renewal within 90 days of expiry without losing remaining validity (the new certificate simply starts from the renewal date).
Under 30 days: Renew immediately. This is urgent territory. Set aside time this week.
Under 7 days: Emergency. Prioritize this above everything else. An expired certificate will start causing browser warnings at the exact moment of expiry.
Already expired: Your site is actively showing security warnings to visitors. Renew immediately.

Certificate chain issues are worth paying attention to even when the expiry date is fine. An incomplete chain means some clients — particularly older Android devices and certain enterprise browsers — will reject your certificate even though it's technically valid. OpDeck flags these chain problems so you can address them proactively.

SAN coverage tells you whether all your subdomains are protected. A wildcard certificate might cover *.yourdomain.com but not yourdomain.com itself. The SAN list makes this immediately visible.

Checking SSL Certificates on Non-Standard Ports

Most SSL certificates run on port 443, but some services use other ports — mail servers use 465 or 587, LDAP uses 636, and internal services sometimes run on custom ports. The OpenSSL command handles this easily:

echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:8443 2>/dev/null | openssl x509 -noout -enddate

Simply replace 443 with your actual port number.

Common SSL Certificate Expiry Problems and How to Avoid Them

Problem 1: Auto-Renewal Failures

Let's Encrypt certificates are free and automatically renewable, but auto-renewal can fail silently. The Certbot client needs to be able to complete an HTTP or DNS challenge, and if your server configuration changes, firewall rules tighten, or DNS records shift, the renewal will fail — and you won't know until the certificate has already expired.

Fix: Schedule a weekly cron job that checks your certificate expiry dates independently of the renewal process. Don't assume renewal worked just because Certbot is installed.

Problem 2: Forgetting Subdomains

You might diligently monitor yourdomain.com but forget that api.yourdomain.com, mail.yourdomain.com, or staging.yourdomain.com have separate certificates on different renewal schedules.

Fix: Maintain an inventory of every hostname that serves HTTPS traffic. Check each one explicitly. A wildcard certificate can simplify this by covering all subdomains under a single expiry date.

Problem 3: Certificate Pinning After Renewal

Some mobile apps and enterprise clients use certificate pinning, which hardcodes the expected certificate fingerprint. When you renew your certificate (even with the same CA), the fingerprint changes and pinned clients will refuse connections.

Fix: Coordinate certificate renewals with your mobile app team. Use public key pinning instead of certificate pinning where possible, since public keys can remain consistent across renewals.

Problem 4: CDN and Proxy Certificates

If your traffic goes through a CDN like Cloudflare, AWS CloudFront, or Fastly, visitors see the CDN's certificate rather than your origin server's certificate. Your origin certificate might be expired without affecting the user experience — until the CDN can't reach your origin over HTTPS.

Fix: Check both your CDN's certificate (which you may not manage directly) and your origin server's certificate. They're separate and can expire independently.

Problem 5: Ignoring Internal Services

Internal APIs, admin panels, and staging environments often run with self-signed or manually managed certificates that nobody monitors. These expire just as reliably as production certificates.

Fix: Include internal hostnames in your monitoring script. If they're not publicly accessible, use the OpenSSL command-line approach from within your internal network.

Setting Up Certificate Expiry Monitoring

Checking expiry dates manually is a good start, but the professional approach is continuous monitoring with automated alerts. Here are the main options:

Cron + shell script: The approach shown earlier in this article. Free, flexible, and runs on any Linux server. Requires initial setup and maintenance.

Uptime monitoring services: Tools like UptimeRobot, Better Uptime, and Freshping include SSL expiry monitoring alongside uptime checks. They'll email or Slack you when expiry is approaching.

Certificate Transparency logs: Services like crt.sh let you monitor certificates issued for your domain. This is particularly useful for catching unauthorized certificates issued for your domain (a sign of a potential security incident).

OpDeck on-demand checks: For teams that prefer a lightweight, no-infrastructure approach, running a quick check with OpDeck's SSL Certificate Checker as part of your weekly or monthly site review workflow catches problems before they become incidents.

Understanding Certificate Validity Periods

One thing worth knowing when you check SSL certificate expiry dates: the maximum validity period for publicly trusted certificates has been shrinking over time.

Before 2015: certificates could be valid for up to 5 years
2015–2018: maximum reduced to 3 years
2018–2020: maximum reduced to 2 years
Since September 2020: maximum is 398 days (approximately 13 months)

This trend is likely to continue. Apple has proposed reducing maximum validity to 47 days by 2027, which would make automated renewal and monitoring not just convenient but essential.

The practical implication: if you're issuing a new certificate today, plan for renewal in about 11–12 months (to give yourself a buffer before the 398-day maximum). If you're using Let's Encrypt, certificates are valid for only 90 days by design, which forces frequent renewals and keeps the ecosystem healthier.

Conclusion

Knowing how to check SSL certificate expiry date is a fundamental skill for anyone running a website or managing web infrastructure. Whether you prefer the browser padlock, an OpenSSL command, a shell script monitoring multiple domains, or a visual tool that gives you results without any setup, the important thing is that you're checking regularly and acting before expiry — not after.

For the fastest, most accessible way to check SSL certificate expiry date right now, head to OpDeck's SSL Certificate Checker. Enter your domain, get a full certificate report in seconds, and know exactly how much runway you have before your next renewal. OpDeck also offers a suite of complementary tools for performance auditing, security headers, DNS inspection, and more — everything you need to keep your web properties healthy and properly configured.