The morning your SSL certificate expires, every browser starts blocking your site with a full-screen security warning. The fix takes minutes. Knowing it was about to happen is the hard part. Set the renewal date once, get an email before, on, and after — until it\'s done.
Done in seconds. No sign-up required.
No outage, no DNS issue, no traffic spike. Just a date that quietly came and went.
of users abandon a site after seeing a browser security warning rather than clicking through
HubSpot SSL trust research
maximum lifetime for Let\'s Encrypt certs — and Let\'s Encrypt has now stopped sending expiry emails
letsencrypt.org expiration notification policy
proposed maximum certificate lifetime under the CA/Browser Forum timeline, phasing in by 2029
CA/Browser Forum Ballot SC-081
SSL renewals are the easiest kind of deadline to forget. They happen once a year for paid certs, once every 90 days for Let\'s Encrypt — long enough to fall out of any weekly routine. Nothing about your site feels different the day before expiry. Then the date hits and the entire site starts throwing browser errors at the same instant.
The systems most teams rely on are not as reliable as they look. Let\'s Encrypt used to email you at 20, 10, and 1 day before expiry — that program ended in 2025. Auto-renew via certbot, acme.sh, or your hosting panel can fail silently when DNS changes, CAA records get added, or a CDN intercepts the validation request. The cron job runs, the renewal fails, no one reads the log. Six weeks later, your homepage breaks during a Tuesday morning standup.
A reminder pinned to the actual expiry date is the human-layer backstop. It does not care whether your automation worked. It still emails you at day 30, day 14, day 3, and the day of — and keeps following up after that until you confirm the new cert is in place.
Different cert types need different lead times. The rule of thumb: the reminder should fire with enough runway to handle the worst-case renewal — not the happy path.
Click the padlock in your browser, or run openssl s_client -connect domain.com:443. Either gives you the exact "Not After" date.
30 days for paid one-year certs, 60 days for Let\'s Encrypt 90-day certs, 14 days once 47-day certs land. Always pad for DNS or validation hiccups.
If you don\'t mark it done, BoldRemind keeps emailing — past the reminder date, past the expiry, until the renewal is confirmed.
Not sure where the expiry date lives in your stack? See how to check your SSL certificate expiration date for browser, command-line, and hosting-panel methods.
It\'s not abstract. It\'s the same site, broken in every browser, until you push a fix.
Chrome, Safari, Firefox, and Edge all show a full-screen interstitial. Most users hit back. Bounce rates spike to near 100%.
What expiry actually looks like →Google Search Console flags the property. Paid campaigns can be paused automatically. Crawl errors accumulate within hours, not days.
Cost of one expired hour →Domain validation, CAA records, intermediate chain rebuilds — none of these are five-minute fixes when the clock is already past zero.
Renewal cadence by cert type →Everything else about keeping certificates current.
Thirty days is the safe minimum for paid one-year certificates. That window lets you reissue, validate domain ownership, and deploy the new cert before anything visible breaks. For 90-day Let's Encrypt certs, set a 60-day reminder so you catch any silent auto-renew failure with a full month of runway. When the industry moves to 47-day certs, drop to a 14-day reminder paired with a same-week verification step.
They do, and for fleet-scale infrastructure they're the right call. The gap is small operators: one site, one cert, one renewal a year. Standing up Datadog or installing Zabbix for that is overkill, and free monitors still ask you to log in to a dashboard. A plain email reminder on the date you already know matches the size of the problem.
Auto-renew fails silently more often than people realize — DNS records change, CAA records get added, ACME challenges break behind a CDN, billing cards expire. Let's Encrypt has stopped sending expiration emails, so if cron quietly errored out two months ago, no one is going to tell you. A reminder is the human-layer backstop, not a replacement for automation.
Every modern browser blocks the page with a full-screen "Your connection is not private" warning. Visitors see a red error before they ever reach your homepage. Google Search Console flags the property within hours. Paid ad campaigns can be suspended automatically. Encryption technically still works for that hour, but no real user will click through. See the full breakdown of what happens when your SSL certificate expires.
Yes, but you have to reissue rather than renew, and your site stays broken in every browser until the new cert is installed. There is no grace period and no "expired-but-still-trusted" mode. The point of the reminder is to make this scenario impossible.
Paid certificates max out at 398 days under current CA/Browser Forum rules. Let's Encrypt and most other free issuers cap at 90 days. The industry is moving toward a 47-day maximum lifetime, with full implementation expected by 2029. See how often you need to renew an SSL certificate for the per-issuer breakdown.
No. BoldRemind sends date-based email reminders only — you enter the expiration date, it sends emails before, on, and after that date until you mark it done. It does not connect to your server or fetch the cert. That keeps the tool simple and means it works for self-signed, internal, or otherwise unreachable certs that scanning tools cannot see.
Free. No account. Takes 30 seconds. You'll get an email 30 days before your cert expires — and follow-ups until you've actually renewed it.
Create SSL Renewal ReminderLast modified: