Does checking expiry mean my site is fully secure?

No. Valid dates are one layer. You still need correct hostname in SAN/CN, modern TLS versions, complete chain, and no mixed content. Use the SSL Checker for chain and protocol details together.

How often should I check certificate expiry?

Monthly for production sites; weekly during migration windows. Let's Encrypt certificates renew every 90 days — automate renewal and spot-check with the SSL Checker after deploys.

Can I check SSL without openssl installed?

Yes. The DN01 SSL Certificate Checker runs the TLS handshake from the browser, shows notBefore/notAfter, chain order, and negotiated protocol without local tools.

Guides

SSL Certificate Expiry Check

ssl certificate expiry check · check ssl expiration online · certificate validity date

How to check SSL certificate expiration online, read notAfter dates, understand browser errors, and prevent HTTPS outages before certificates expire.

Open SSL Certificate Checker2026-06-23

By DN01 Network Team

Expired TLS certificates break HTTPS instantly — browsers show NET::ERR_CERT_DATE_INVALID or similar while the site still runs behind the load balancer. Checking expiry before the notAfter date is basic operational hygiene for any domain serving HTTPS.

This guide explains which fields matter in a certificate, how to verify them with the SSL Certificate Checker, and what to do when auto-renewal fails silently on shared hosting or Kubernetes ingress.

What to look for in expiry results

The leaf certificate notAfter (valid until) is the hard deadline. Wildcard and multi-domain (SAN) certificates can list several hostnames — confirm every name you serve appears in the Subject Alternative Name extension.

Compare notBefore as well: a cert with a future notBefore causes errors until the clock crosses that boundary. Intermediate certificates in the chain have their own dates — an expired intermediate breaks trust even when the leaf looks fine.

How to check expiry online (4 steps)

Open the SSL Certificate Checker, enter the hostname (port 443 implied), and run the check.

Note notAfter for the leaf and each intermediate in the chain panel.

Cross-check SAN entries against every subdomain you publish (www, api, cdn).

Set a calendar reminder 14 days before expiry if renewal is manual; 7 days if automated with alerting.

Common expiry failures

Let's Encrypt ACME jobs fail when HTTP-01 challenges cannot reach /.well-known or when DNS-01 TXT records are missing — hosting panels may still show «active» while the live cert is old.

Load balancers sometimes terminate TLS with an old cert while origin uses a new one — always test the public hostname clients hit, not only the origin IP.

After renewal, verify with the checker and allow old sessions to drain; HSTS preload lists do not forgive expiry outages.

Browser errors vs likely cause

Symptom	Likely cause	Fix
NET::ERR_CERT_DATE_INVALID	Leaf past notAfter	Renew and redeploy full chain
Untrusted issuer	Missing intermediate	Install vendor bundle on server
Hostname mismatch	SAN missing name	Re-issue with correct SAN
Site works on mobile, fails desktop	Incomplete chain on one path	Compare chain from checker

Frequently asked questions

Does checking expiry mean my site is fully secure?: No. Valid dates are one layer. You still need correct hostname in SAN/CN, modern TLS versions, complete chain, and no mixed content. Use the SSL Checker for chain and protocol details together.
How often should I check certificate expiry?: Monthly for production sites; weekly during migration windows. Let's Encrypt certificates renew every 90 days — automate renewal and spot-check with the SSL Checker after deploys.
Can I check SSL without openssl installed?: Yes. The DN01 SSL Certificate Checker runs the TLS handshake from the browser, shows notBefore/notAfter, chain order, and negotiated protocol without local tools.