ScanMyDomain
← Back to blog

SSL Certificate Expiry: How to Check, Monitor, and Avoid Downtime

An expired SSL certificate is one of the most common — and most avoidable — causes of website downtime. When your certificate expires, browsers show a full-page security warning that stops visitors in their tracks. No clicks, no conversions, no trust.

The worst part? It usually happens silently. Most teams only find out when a customer complains or traffic drops off a cliff.

This guide covers how SSL expiry works, how to check your certificates, and how to set up monitoring so it never catches you off guard.

What happens when an SSL certificate expires

When a certificate passes its expiry date, browsers immediately stop trusting it. Visitors see a warning page — typically "Your connection is not private" in Chrome or "Warning: Potential Security Risk Ahead" in Firefox.

The impact is immediate:

  • Visitors can't reach your site without clicking through scary warnings (most won't)
  • Search rankings drop because Google flags the site as insecure
  • API integrations break if clients enforce certificate validation
  • Email delivery fails if your mail server's certificate is also expired
  • Customer trust erodes — a security warning signals negligence

For e-commerce sites, the cost of even a few hours of SSL downtime can be significant.

Why certificates expire

SSL/TLS certificates have a built-in expiry date by design. This is a security feature — it forces regular rotation of cryptographic keys and ensures that certificate authorities periodically re-verify domain ownership.

The maximum certificate lifetime has been getting shorter over the years:

  • Before 2015: up to 5 years
  • 2015-2018: 3 years maximum
  • 2018-2020: 2 years maximum
  • 2020-present: 398 days (roughly 13 months)
  • Proposed: 90 days (already used by Let's Encrypt)

Shorter lifetimes mean more frequent renewals, which means more opportunities for things to go wrong if you don't have automation in place.

How to check your SSL certificate expiry

Using your browser

The quickest way to check a single certificate:

  1. Visit your site in Chrome
  2. Click the padlock icon in the address bar
  3. Click "Connection is secure" then "Certificate is valid"
  4. Check the "Valid to" date

Using the command line

For a more detailed view, use OpenSSL:

echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

This returns both the issue date and expiry date.

Using ScanMyDomain

The fastest way to check SSL along with everything else — enter your domain at scanmydomain.co and get your certificate expiry date alongside DNS, SPF, DKIM, and DMARC results in one scan.

Common causes of unexpected expiry

Even teams that know about certificate renewal get caught out. Here are the usual culprits:

Auto-renewal failures

Let's Encrypt certificates renew automatically via Certbot or your hosting provider. But auto-renewal can fail silently if:

  • DNS records have changed and validation fails
  • The renewal service (Certbot, acme.sh) has been updated and the config is stale
  • Server permissions have changed
  • The web server isn't reachable on port 80 for HTTP-01 challenges

Missed renewal emails

Certificate authorities send renewal reminders to the email on file. If that email goes to a former employee, a shared inbox nobody monitors, or gets caught by spam filters, the reminders vanish.

Multiple certificates across services

Many organisations have certificates on their main site, staging environments, API servers, mail servers, and CDNs. It's easy to track the main one and forget the rest.

Domain transfers

When you transfer a domain to a new registrar, existing certificates remain valid but auto-renewal may break if it depends on DNS validation with the old provider.

How to set up SSL monitoring

Option 1: Manual calendar reminders

Set a calendar reminder 30 days before each certificate expires. This works for one or two domains but doesn't scale.

Option 2: Certbot's built-in checks

If you use Let's Encrypt, Certbot can test renewal without actually renewing:

sudo certbot renew --dry-run

Run this as a monthly cron job and check the output for errors.

Option 3: Automated monitoring with ScanMyDomain

Add your domain to ScanMyDomain and enable weekly monitoring. You'll get an email alert when your SSL certificate is approaching expiry, along with alerts for any other DNS or email authentication issues that crop up.

This is particularly useful if you manage multiple domains — you get a single dashboard showing the health of all of them.

Best practices for SSL management

Automate everything

Use a certificate manager that handles renewal automatically. Most modern hosting platforms (Vercel, Netlify, Cloudflare, AWS) handle this for you. If you're self-hosting, use Certbot with a cron job.

Monitor, don't just automate

Automation reduces risk but doesn't eliminate it. Auto-renewal can fail silently. Always have monitoring as a safety net — if renewal fails, you want to know immediately, not when customers start complaining.

Use short-lived certificates

Let's Encrypt's 90-day certificates are actually a feature, not a burden. They force you to automate renewal properly, which is more reliable than remembering to manually renew once a year.

Keep contact details current

Make sure the email address associated with your certificates goes to an actively monitored inbox. Update it when team members leave.

Don't forget non-web certificates

Mail servers, API endpoints, internal tools, and staging environments all need valid certificates too. Include them in your monitoring.

Test after renewal

After a certificate renews, verify it's actually serving correctly. A new certificate sitting on disk doesn't help if the web server is still using the old one in memory. Many servers need a reload:

sudo systemctl reload nginx

What to do if your certificate has already expired

If you're reading this because your certificate just expired, here's the quick fix:

  1. Check if auto-renewal is configured — run sudo certbot renew if using Let's Encrypt
  2. If renewal fails, check DNS records and ensure your server is reachable on port 80
  3. Reload your web server after renewal — sudo systemctl reload nginx or sudo systemctl reload apache2
  4. Verify the new certificate is being served — use your browser or openssl s_client
  5. Set up monitoring so this doesn't happen again

Summary

SSL certificate expiry is entirely preventable with the right setup. Automate renewal, monitor for failures, and keep your contact details current. For a quick check of your current certificate status along with a full domain health audit, scan your domain now.

Want to check your domain?

Run a free ScanMyDomain scan in 5 seconds. No signup required.

Scan your domain free