Why Your SSL Certificate's Expiry Date Matters More Than You Think

An expired SSL certificate is the most preventable SSL failure, yet it brings down high-profile sites every year. Unlike most infrastructure problems, the exact failure time is known weeks in advance — yet it still catches teams off guard.

What Happens When a Certificate Expires

The moment a certificate's Not After timestamp passes, browsers will refuse to load your site with a large red certificate expired warning. There's no grace period. Visitors can't click through on modern browsers without a security exception. Revenue stops.

Why Certificates Have Expiry Dates

Short validity periods limit the damage from a compromised private key. If keys are stolen but the certificate expires in 90 days, the window of exposure is bounded. This is why the industry has moved from 2-year to 1-year to 90-day certificates — shorter validity means more frequent rotation, which is generally healthier even if operationally demanding.

Current Maximum Validity

• Public TLS certificates: 398 days maximum (enforced by browsers since 2020)
• Let's Encrypt: 90 days, recommended to renew at 60 days
• Proposed 2026 standard: 47 days maximum for public certificates

Monitoring Expiry

The most reliable monitoring strategy is redundant:

1. Automated renewal — use Certbot (for Let's Encrypt) or ACM (for AWS) so renewal is never manual.
2. External monitoring — services like UptimeRobot, Datadog, or Checkly will alert you when expiry is under 30 days.
3. Calendar reminder — a low-tech backup. Set an event 30 days before expiry.

Checking Days Remaining

Paste any certificate into the SSL Certificate Decoder to see exactly how many days remain until expiry — along with the full validity window and all other certificate details.