That little padlock icon in your browser means something. Here's how to actually check if your SSL cert is expired, why it matters more than most people think, and how to stop it from happening again.
You check your website. Everything looks fine. Except the padlock is gone — and in its place is a warning you've been ignoring for three days. Meanwhile, a competitor is ranking above you in search, a customer closed the tab without buying, and an attacker is running a man-in-the-middle attack on your unencrypted traffic. All because nobody noticed the certificate had expired.
SSL certificate expiration is one of the most preventable security failures that still happens constantly. Let's fix that.
When an SSL certificate expires, the browser can't verify the server's identity anymore. That's the simplified version. But here's what that actually means in practice:
The 2023 Twilio breach started with an expired certificate on an internal tool — a neglected cert led to a phishing page that got credentials that compromised the entire company. That's the kind of chain that starts with one forgotten renewal.
You have several ways to check, depending on how deep you want to go.
Open your site in Chrome, Firefox, Safari, or Edge. Look at the address bar:
Go to ssllabs.com/ssltest and enter your domain. You'll get:
This is the most thorough check available for free. Run it on all your public-facing domains.
Open a terminal and run:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
This shows you the exact validity dates of the certificate presented by your server. Useful for quick checks without leaving your terminal.
If you manage multiple domains, manually checking each one isn't sustainable. Services like SSL Watcher will monitor your certificates and alert you before they expire — typically 30, 14, and 3 days before expiry. Automated monitoring is the only reliable solution when you have more than three domains to track.
Expired certificates don't just affect security — they affect business outcomes directly. And the window between expiration and renewal is when you're most vulnerable. An attacker knows when certs expire too, and they'll target windows of neglect.
Let's Encrypt certificates expire after 90 days by design. That's not a bug — it's a feature that forces automation. If you're using Certbot with a valid auto-renewal cron job, your certs will renew automatically and you never have to think about it. If you're not sure, run certbot certificates to see when they expire and whether renewal is configured.
If you can't automate renewal, at least automate the warning. Set up a monitoring check that alerts you 30 days before expiry. Many certificate authorities and third-party tools will do this for free. The goal is to make sure a human sees the expiration date before it becomes a problem.
Wildcard certificates are convenient but they expire just like any other cert — and they cover dozens or hundreds of subdomains. If your wildcard expires, every single subdomain is affected. Keep an inventory of every certificate you manage, including wildcards, and who is responsible for renewal.
Sometimes certificates are valid but the server is misconfigured and not presenting them correctly. Mixed content errors, incomplete chains, and protocol mismatches can all cause browser warnings even when the cert itself hasn't expired. Run an SSL Labs scan monthly to catch configuration drift.
Don't wait for something to break. Do these three things in the next five minutes:
certbot renew --dry-run)Certificate expiration is a solved problem. The only reason it still causes incidents is that nobody assigned the task of watching for it. Assign it now — to a person or to automation — and you'll never have an expired cert incident again.
SSL certificates expire silently and cost you customers before you even know it.
Try SSL Watcher Pro →