The fastest way to find your SSL expiry date is the browser padlock — three clicks, every browser. The most precise way is one openssl command. The most thorough is your hosting panel. Once you have the date, set a reminder and you do not have to check again until renewal.
Done in seconds. No sign-up required.
Works on Chrome, Safari, Firefox, Edge, Brave — every modern browser. No tooling required.
In the address bar, click the padlock or shield icon next to the URL. A dropdown appears.
In Chrome and Edge, this expands to show "Certificate is valid." In Safari, click "Show Certificate." In Firefox, click "More information" → "View Certificate."
Look for "Valid Until," "Expires," or "Not After." That timestamp is your renewal deadline. Note the timezone — most are in UTC.
The fastest, most precise method if you have a terminal available. Works against any HTTPS endpoint, including domains you do not own.
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate
Replace example.com with your domain. The output looks like:
notAfter=Jul 30 12:00:00 2026 GMT
The -servername flag enables SNI, which is required for most modern hosts.
Without it, you may get the default cert for the IP rather than the cert for your domain.
For a more complete view, drop -noout -enddate and add -text to
see the full certificate, including the issuer, the SAN list, and key details.
On Windows, install openssl through Git for Windows or run the same command inside WSL — the syntax is identical, no PowerShell-specific incantation required.
If your provider issued the cert, the date is one click away.
Security → SSL/TLS → "Manage SSL Sites" or "Certificates (CRT)". Each row shows the issuance and expiry dates per domain.
Domains → your domain → "SSL/TLS Certificates." The active cert\'s validity period is listed at the top of the panel.
SSL/TLS → Edge Certificates. Each cert lists its expiry. Universal SSL is auto-renewed, but you should still pin the date for any custom or advanced cert.
Certificate Manager → list of certificates. Each entry shows status, issuance, and expiry. ACM auto-renews issued certs but only if DNS validation still resolves.
IIS Manager → Server Certificates. The list shows friendly name, issuer, and expiration date. Double-click any cert for full details.
Each provider\'s customer portal lists active certs with issuance and expiry. Most also send their own renewal warnings — but those rely on a working email on file.
The "Valid Until" date is the only number you need. Subtract a sensible lead time for your cert type — 30 days for a paid one-year cert, 60 days for a 90-day Let\'s Encrypt cert — and that becomes your reminder date.
See how often to renew an SSL certificate for the right cadence per cert type, or set the reminder now if you already know which lead time you need. Once it\'s in, you do not have to look at the expiry date again until the email lands in your inbox.
Click the padlock icon in the address bar of any browser, then "Connection is secure" or similar, then "Certificate is valid" or "More information." The "Valid Until" or "Not After" date is the expiry. For command-line access, run "openssl s_client -connect domain.com:443 -servername domain.com 2>/dev/null | openssl x509 -noout -enddate".
"Not After" is the formal X.509 field for the certificate's expiry date. It is the timestamp after which the cert is no longer valid. Browsers compare this against the current clock and reject the cert the moment "Not After" is in the past. There is no time-zone leniency or grace period — it is a hard cliff.
On any system with openssl installed: "echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate". Output looks like "notAfter=Jul 30 12:00:00 2026 GMT". The -servername flag is required for SNI, which most modern hosts use.
In cPanel, navigate to Security → SSL/TLS → "Manage SSL Sites" or "Certificates (CRT)". Each domain row lists the issuance and expiry dates. Plesk has the same information under "Domains" → your domain → "SSL/TLS Certificates."
Yes — SSL certs are public information by design. The browser padlock works on any site. The openssl command works against any HTTPS endpoint you can reach. Tools like crt.sh let you search Certificate Transparency logs for any domain's issued certs and their expiry dates without ever connecting to the server.
Once, when you first set up the cert — and then never again, because the date is fixed until you renew. Set a reminder pinned to that date with appropriate lead time, and the next time you need to think about it is when the email arrives. Re-checking weekly is what reminders are for.
Once you know when your cert expires, the rest is automatic. A free email reminder before, on, and after — until you mark it renewed.
Create SSL Renewal ReminderLast modified: