SSL Certificate Expired? How to Check, Renew and Prevent It
An expired SSL certificate takes your website down and costs you revenue instantly. Learn how to check, renew, recover and automatically monitor SSL certificates — including the shorter validity periods coming in 2026.
Jean-Pierre Broeders
Security & DevOps Expert
An expired SSL certificate is one of those problems you never see coming — until your entire website goes down and visitors are met with a red warning. The frustrating part: it is completely preventable. In this article you'll learn why SSL certificates expire (and increasingly fast), how to check whether a certificate has expired, how to renew it per platform, what to do when it's already too late, and how to monitor it automatically from now on.
The nightmare scenario: your SSL certificate has expired
It's Monday morning. Your client calls panicking: "The website doesn't work! There's an error message!"
You open the site and see it: "Your connection is not private". Your SSL certificate has expired.
This happens more often than you think, and the consequences are significant:
- Customer trust — visitors leave instantly when they hit a warning screen
- SEO impact — an unreachable or "not secure" site hurts your Google rankings
- Revenue loss — no one checks out on a site that's flagged as unsafe
- Reputation damage — your brand gets associated with unreliability
Why SSL certificates expire (and why faster every year)
SSL/TLS certificates have a deliberately limited validity period. The shorter a certificate is valid, the less time a stolen or misused certificate can do damage. That's why the maximum lifetime has been cut sharply over the years: from 39 months, to 825 days, to today's maximum of ~398 days (13 months).
And it's getting shorter still. In 2025 the CA/Browser Forum locked in a roadmap that gradually reduces maximum validity to 47 days by 2029. The practical conclusion is simple: manual renewal is no longer a viable plan. Anyone still relying on a calendar reminder will soon be at risk every six weeks.
In practice, things mostly go wrong because of:
- Too many domains — how do you keep track of dozens or hundreds of certificates?
- Too little visibility — certificates don't proactively warn you they're about to expire
- Failing auto-renewals — due to DNS issues, configuration errors, an unreachable validation endpoint or payment problems
- Forgotten wildcard certificates —
*.yourdomain.comis easy to overlook - Development and staging environments —
test.yourdomain.comis rarely on anyone's calendar
A certificate that worked yesterday can be expired today. And the worst part: usually your customers are the first to notice, not you.
The risks of an expired certificate
An expired certificate is far more than a cosmetic browser warning:
- Man-in-the-middle attacks — without a valid certificate, encrypted traffic is easier to intercept
- Loss of data integrity — visitors can no longer be sure they're actually talking to your server
- Increasingly aggressive browser warnings — modern browsers often block access entirely instead of showing a dismissible warning
- PCI compliance — for webshops, an expired certificate can mean immediate non-compliance
Security here isn't a standalone topic. Certificate management belongs in your broader security approach — see also our API security best practices for the other side of the same coin.
How do you check whether an SSL certificate has expired?
You don't have to wait until a visitor reports the error. Checking takes seconds:
- Via the browser — click the padlock in the address bar and look at "certificate valid until".
- Via the command line with OpenSSL — ideal for scripts and quick checks:
# View a certificate's validity dates
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
You'll see a notBefore and notAfter date. The latter is your deadline.
- Via an online SSL checker — handy to verify the full certificate chain and configuration in one go.
Tip: want to know how many days until a certificate expires? Use
-checkend. The commandopenssl x509 -checkend 604800returns an exit code indicating whether the certificate expires within 7 days (604800 seconds) — perfect for a monitoring script.
Renewing an SSL certificate: step by step per platform
How you renew an SSL certificate depends on your setup. The three most common scenarios:
Let's Encrypt with Certbot
Most modern servers use the free Let's Encrypt. Certbot handles renewal automatically, but verify the timer is actually running:
# Test whether auto-renewal works (without actually renewing)
sudo certbot renew --dry-run
# Status of the scheduled renewal
systemctl list-timers | grep certbot
Let's Encrypt certificates are valid for 90 days and are renewed by default from 30 days before expiration. Does the dry-run fail? Then your real renewal will fail later too — fix it now.
Nginx
After a renewal, Nginx needs to load the new certificate. Test the configuration first, then reload without downtime:
sudo nginx -t && sudo systemctl reload nginx
Apache
sudo apachectl configtest && sudo systemctl reload apache2
Manual certificates (cPanel or CA portal)
Using a paid certificate? Generate a new CSR, order the renewal from your Certificate Authority, and install the new certificate plus its intermediate certificates. Don't forget the chain — a missing intermediate certificate produces the same error on many devices as an expired certificate.
What to do when your certificate has already expired
Too late? Don't panic — recovery often takes under fifteen minutes:
- Confirm the cause. Run the OpenSSL check above to be sure it's really expiration and not a chain or name mismatch.
- Force a renewal. With Certbot:
sudo certbot renew --force-renewal. With a paid certificate: order a new one and install it immediately. - Reload your web server so the new certificate becomes active (
reload, not just replacing it on disk). - Purge caches and CDN. Services like Cloudflare cache certificate info; force a refresh at the edge.
- Verify publicly with an external SSL checker, not just locally — local caches can give you a false sense of security.
Monitoring SSL certificates automatically: the real solution
Renewing solves the problem incidentally. The structural answer is monitoring, so you're never again dependent on memory or luck. My advice:
- Layered alerts — warnings at a minimum of 30, 14 and 7 days before expiration
- Multiple notification channels — email and Slack and SMS for the truly critical cases
- Central overview — which certificates do you have, and which expire soon?
- Auto-renew where possible — let your CA or Certbot do the work
- Monitor your development domains too — all hostnames, including
test.yourdomain.com
This fits seamlessly into a broader DevOps monitoring stack: just as you monitor your cron jobs, you should monitor your certificates.
That's why I built CertGuard — it automatically monitors all my certificates and warns me well before anything expires. With the upcoming shorter validity periods, that's no longer a luxury but a necessity.
Quick win: check all your domains today
Don't wait for the next crisis. Run through your domains today:
# Check the expiration date of a single domain
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
See anything expired or expiring soon? Fix it now, before your customers notice. An expired SSL is an easily preventable problem with big consequences.
Frequently asked questions about expired SSL certificates
How long is an SSL certificate valid? Currently a maximum of around 398 days (13 months). That period will be cut in stages over the coming years to 47 days by 2029, making automatic renewal practically mandatory.
What happens when my SSL certificate expires? Browsers show a warning like "Your connection is not private" and often block access entirely. Visitors leave, your SEO and revenue suffer, and webshops risk PCI non-compliance.
Can I still renew an expired SSL certificate?
You don't renew an expired certificate; you request a new one or force a renewal (for example certbot renew --force-renewal) and then reload your web server.
How do I check when my SSL certificate expires?
Click the padlock in your browser, or use openssl s_client on the command line to read the notAfter date. For multiple domains, automated monitoring is the only scalable solution.
Does Let's Encrypt renew automatically?
Yes, Certbot renews Let's Encrypt certificates automatically by default from 30 days before expiration — provided the timer is running and validation succeeds. Test this with certbot renew --dry-run.
More tips about SSL and security? Get in touch or try CertGuard for automatic certificate monitoring.
