Your SSL Certificate Is About to Expire: Here's What to Do

Navigate
Back to blog
Published
Jun 11, 2026
Read time
8 min read
Written by
Sophie Parker
Illustration of a digital lock icon with an expiring timer and warning notification, representing SSL certificate renewal urgency in a modern tech environment.

An SSL certificate expired warning doesn't just look bad — it actively blocks visitors from reaching your site, tanks your search rankings, and can trigger browser security alerts that are genuinely scary to non-technical users. The good news is that renewing an expired SSL certificate is straightforward once you know the steps, and preventing future expirations is even easier.

Content Table

What Actually Happens When Your SSL Certificate Expires

When your SSL certificate expires, browsers immediately stop trusting your site. Chrome, Firefox, Safari, and Edge all display a full-page warning that tells visitors "Your connection is not private" or "This site's security certificate has expired." Most users won't click past that warning — and they shouldn't have to.

Beyond the visitor experience, here's what else breaks:

  • HTTPS stops working. Requests may fall back to HTTP or simply fail, depending on your server configuration and whether you have HSTS (HTTP Strict Transport Security) enabled.
  • SEO takes a hit. Google uses HTTPS as a ranking signal. A broken or expired certificate can cause your pages to drop in search results or be flagged as insecure.
  • APIs and integrations break. Any service that makes HTTPS calls to your domain — payment processors, webhooks, mobile apps — will start throwing certificate errors.
  • Email delivery can be affected. If your mail server uses TLS with the same certificate, email clients may reject connections.
HSTS makes this worse. If your site has HSTS enabled with a long max-age, browsers will refuse to load it over HTTP as a fallback. Renewing quickly is the only fix — there's no easy override for end users.

How to Check SSL Certificate Expiration Date

Before you renew, you need to verify certificate validity and confirm exactly when it expires. There are several ways to do an SSL expiration check.

From Your Browser

  1. Visit your site in Chrome or Firefox.
  2. Click the padlock icon in the address bar (or the "Not Secure" warning).
  3. Select "Connection is secure" then "Certificate is valid."
  4. Look for the "Valid until" or "Expires on" date in the certificate details panel.

From the Command Line (OpenSSL)

If you have server access or want to check a domain programmatically, OpenSSL gives you precise details:

echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

This outputs notBefore and notAfter dates. The notAfter value is your expiration date.

Check the Certificate File Directly

If you have the .crt or .pem file on your server, you can inspect it directly:

openssl x509 -in /path/to/your/certificate.crt -noout -enddate
Most certificate authorities (CAs) send expiration reminder emails 30, 14, and 7 days before expiry. If you're not receiving these, check the email address associated with your CA account — it may be an old or unmonitored inbox.

How to Renew Your SSL Certificate

The renewal process depends on where and how your certificate was issued. Here are the three most common scenarios.

Option 1: Let's Encrypt (Auto-Renewal with Certbot)

Let's Encrypt certificates are free and expire every 90 days by design, but Certbot handles renewal automatically. To renew manually or check renewal status:

# Check renewal status
sudo certbot renew --dry-run

# Force renewal immediately
sudo certbot renew --force-renewal

If auto-renewal has been failing silently, check your cron job or systemd timer:

sudo systemctl status certbot.timer

Option 2: Renewing Through a Paid CA (DigiCert, Sectigo, etc.)

  1. Log in to your CA's dashboard and locate the expiring certificate.
  2. Generate a new CSR (Certificate Signing Request) on your server. Most CAs walk you through this, but you can also generate one with OpenSSL:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
  1. Submit the CSR to your CA and complete domain validation (DV), organization validation (OV), or extended validation (EV) depending on your certificate type.
  2. Download the new certificate files (typically a .crt file plus an intermediate/chain file).
  3. Install the new certificate on your server and restart the web server (Apache, Nginx, etc.).

Option 3: Renewing Through a Hosting Control Panel

If your site is on shared hosting (cPanel, Plesk, or a managed platform like WP Engine or Kinsta), the process is usually a few clicks:

  • cPanel: Go to SSL/TLS Manager and use the "Manage SSL Sites" section.
  • Plesk: Navigate to Domains, select your domain, click SSL/TLS Certificates.
  • Managed WordPress hosts: Most handle certificate renewal automatically. Check your dashboard's SSL section if you see a warning.

After Renewal: Verify the New Certificate Is Live

After installing the renewed certificate, always run a quick SSL expiration check to confirm the new certificate is active and correctly chained. Use the OpenSSL command from the previous section, or check your browser's certificate details again.

Restart your web server after installing a new certificate. On Nginx: sudo systemctl reload nginx. On Apache: sudo systemctl reload apache2. Skipping this is the most common reason a freshly installed certificate doesn't take effect.

Common Certificate Errors and What They Mean

Not every certificate error means the cert has expired. Here's a quick breakdown of the most common ones:

Error Message Likely Cause Fix
NET::ERR_CERT_DATE_INVALID Certificate is expired or server clock is wrong Renew certificate; sync server time via NTP
NET::ERR_CERT_AUTHORITY_INVALID Self-signed cert or missing intermediate chain Install full certificate chain from your CA
NET::ERR_CERT_COMMON_NAME_INVALID Certificate domain doesn't match the URL Reissue certificate for the correct domain/SAN
SSL_ERROR_RX_RECORD_TOO_LONG HTTP served on HTTPS port (misconfiguration) Check virtual host config; ensure SSL is enabled on port 443
ERR_SSL_PROTOCOL_ERROR TLS version mismatch or broken SSL config Update TLS settings; disable SSLv3/TLS 1.0 and 1.1

The Mozilla Developer Network's documentation on certificate transparency is a solid reference if you're troubleshooting chain or trust errors in more depth.

How to Prevent SSL Expiration in the Future

Expiration is almost always preventable. Here are the most reliable methods:

  • Use Let's Encrypt with Certbot auto-renewal. The 90-day cycle sounds short, but Certbot renews automatically 30 days before expiry. Set it up once and forget it (mostly).
  • Set calendar reminders. If you're on a 1-year or 2-year certificate, put a reminder 45 days before the expiration date. That gives you time to renew without rushing.
  • Use your CA's monitoring alerts. Every major CA (DigiCert, Sectigo, GlobalSign) sends email reminders. Make sure those go to an actively monitored inbox.
  • Enable external uptime monitoring with SSL checks. Services that monitor your site for downtime often include SSL expiration checks as part of the package. You'll get an alert before the certificate actually expires.
  • Document your certificates. Keep a simple spreadsheet or note with domain name, CA, expiration date, and renewal contact. For teams, this prevents the "I thought someone else handled it" situation.
Certificate lifetimes are getting shorter. As of 2024, most major browsers and the CA/Browser Forum have been pushing toward 90-day maximum certificate lifetimes. Apple already announced plans to enforce this for Safari. Automation is no longer optional — it's the expected approach. See the CA/Browser Forum for the latest policy discussions.

Certificate Management for Multiple Domains

If you manage more than a handful of sites, tracking individual certificate expiration dates manually doesn't scale. Good certificate management at this level usually involves one of these approaches:

  • Wildcard certificates: A single wildcard cert (e.g., *.yourdomain.com) covers all subdomains. One renewal instead of many, though it doesn't help if you manage multiple root domains.
  • Multi-domain (SAN) certificates: A Subject Alternative Name certificate can cover dozens of different domains under one renewal cycle.
  • Centralized monitoring: Tools and scripts that ping each domain's SSL handshake and report back expiration dates in a single dashboard.
  • Infrastructure-as-code: If you're managing certificates in cloud environments (AWS Certificate Manager, Google-managed SSL, Cloudflare), certificates are often renewed automatically as part of the platform.

For teams running many domains, the biggest risk isn't forgetting to renew — it's not knowing which certificates exist in the first place. Periodic audits using a script that checks every domain in your inventory against its SSL expiration date are worth the setup time.

Free online RegEx tester for developers

Test and Debug RegEx Patterns Instantly

Parsing certificate output, log files, or domain strings? Use our free RegEx tester to validate patterns against real input — live, in your browser, no setup required.

Try Our Free RegEx Tester →

Technically yes, but most visitors won't. Browsers display a full-page security warning and require users to manually click through an "Advanced" option to proceed. Many browsers and security tools block this entirely. If HSTS is enabled on your domain, even that workaround is unavailable — the browser will refuse the connection outright until a valid certificate is installed.

For domain-validated (DV) certificates, renewal typically takes a few minutes to a couple of hours once you submit the CSR and complete domain validation. Organization-validated (OV) and extended-validation (EV) certificates take longer — sometimes 1 to 5 business days — because they require manual identity verification by the CA. Let's Encrypt renewals via Certbot usually complete in under a minute.

Not automatically. If you reuse the same CSR from your previous renewal, the private key stays the same. Generating a new CSR creates a new private key pair. Security best practice recommends generating a new key pair with each renewal — especially if you suspect the old key may have been compromised. Certbot does this by default when it renews Let's Encrypt certificates.

The most common reason is that the web server wasn't reloaded after the new certificate was installed. Run sudo systemctl reload nginx or sudo systemctl reload apache2 depending on your setup. Other causes include the new certificate being installed in the wrong path, a CDN or load balancer still serving the old certificate, or browser cache. Clear your browser cache and test from a different network or incognito window to rule out caching.

Currently, most SSL certificates are issued with a maximum validity of 398 days (just over 13 months). Let's Encrypt certificates expire every 90 days. The CA/Browser Forum and major browser vendors are actively pushing to reduce the maximum lifetime to 90 days industry-wide, with Apple already announcing plans to enforce this in Safari. Setting up automated renewal now is the smartest way to stay ahead of these changes.

Yes, it can. Google has used HTTPS as a ranking signal since 2014. When your certificate expires, Googlebot may still crawl your site, but it will flag pages as insecure. If your site becomes unreachable due to the expired cert, Google will eventually drop those pages from its index. Renewing quickly minimizes the SEO impact, though it may take a few days for Google to re-verify your site as secure after renewal.