FAQ

How do you check SSL certificate expiry?

Updated 2026-04-05 · Published 2026-04-01

Direct answer

To check SSL certificate expiry, inspect the certificate’s Not After date for each hostname you serve—via browser devtools, openssl s_client, or automated monitoring that connects periodically and parses the chain. Renew or re-issue before expiry, accounting for staging and load balancer copies.

Practical checklist

  • Inventory all hostnames (marketing, API, apex vs www).
  • Confirm which environment terminates TLS (CDN, LB, origin).
  • Set reminders at 30/14/7 days—or use automated monitoring for continuous verification.

Pitfalls

Forgetting alias names covered by SANs; letting staging certs expire and break CI smoke tests; assuming auto-renew always succeeds without alerts.

Frequently asked questions

Is expiry the only TLS risk?

No—also track unexpected issuers, missing intermediates, and hostname mismatches.

Wildcard coverage?

Wildcards do not cover all nested names—validate the specific FQDNs users hit.