How to Check an SSL Certificate: Validity and Expiry

The fastest way to know whether a website is secure is to inspect its certificate. So how do you check an SSL certificate and find its validity period? In this guide we walk through three methods (browser, command line and online tools) step by step, then explain exactly what to look for and how to stay ahead of expiry.

Check in the browser

The easiest method is the lock icon in your browser's address bar. To reach the certificate details:

  1. Open the target site with https://.
  2. Click the lock icon in the address bar.
  3. Choose Connection is secure and then Certificate is valid.
  4. In the certificate window, look at the Validity section: the Valid from and Valid to fields show the expiry date.
  5. Verify the Issued to (CN) and the Certificate Authority that signed it.

If the certificate has expired or the domain does not match, the browser shows a prominent warning that also hints at the underlying problem.

On the command line (openssl)

For a more technical check, openssl is ideal; a single command reveals the expiry date:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -enddate

The notAfter line in the output is the expiry date. To see the full validity window:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates

To check the domain match (CN and SAN) and the issuer:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -ext subjectAltName

Tip: the -servername flag is critical for SNI; when several sites share one IP it makes sure you receive the correct certificate.

With online tools

If you have no command-line access, online SSL checkers do the job. You enter your domain and within seconds the tool reports:

  • Expiry date and days remaining
  • Completeness of the certificate chain (missing intermediate?)
  • Supported TLS versions and insecure protocols
  • Configuration warnings (weak ciphers, broken chain, etc.)

Because these tools connect from the outside, just like a visitor, they are excellent at catching server-side issues you might miss locally.

What to check

Whichever method you use, look at these five points:

  • Expiry date: How many days remain? Plan renewal once you drop below 30 days.
  • Chain completeness: A missing intermediate certificate makes some browsers flag the site as untrusted.
  • Domain match: The CN or SAN entries must match the domain you visit exactly; both www and the root domain should be covered.
  • TLS version: Modern sites should support TLS 1.2 and 1.3 and disable TLS 1.0/1.1.
  • Common errors: Wrong dates, a broken chain or a self-signed certificate are the most frequent problems.

Stay ahead of expiry

A certificate that expires means visitors meet a frightening security warning. The cure is regular monitoring. Note the date in a calendar or use automatic reminders. For certificates you create with our free SSL wizard, 90dayfreessl emails you before expiry, so you can renew well before the last minute.

Summary

You can check your SSL certificate in seconds via the browser lock icon, with openssl commands, or with online tools. Review the expiry date, chain completeness, domain match and TLS version regularly. If your certificate has expired or is missing entirely, use our free SSL wizard to generate a fresh Let's Encrypt certificate in minutes, with no sign-up and a single ZIP. Better still, 90dayfreessl sends an email reminder before expiry so your site always stays secure.