SSL Certificate Expiry Calculator

Paste an expiry date, or the openssl text dump of a certificate, and get days remaining, an urgency band, and the date you should set the renewal reminder for. This is a date-arithmetic helper. It does not contact your server, does not validate the chain, and does not parse the binary certificate. Everything runs in your browser.

Explain like I'm 5 (what even is this calculator?)

An SSL certificate is the thing that turns the padlock on in your browser. Every certificate has a date it stops working. If you forget to renew it before that date, every visitor to the site sees a scary red warning. This page tells you how many days are left, whether you need to panic, and the date to put in your calendar so you actually remember.

Check an expiry

Browser-only. No network call is made. This page does not validate your certificate, it only does the date maths. For a live check use openssl s_client -connect host:443 or a monitoring service.

How are you giving us the expiry?

Either YYYY-MM-DD or a full ISO timestamp. Treated as UTC.

How many days before expiry you want the renewal reminder. Most teams use 30. Drop it for fully automated renewals, push it up for slow change-management.

Prove it

Press Calculate and the working will appear here: parsed expiry, your current UTC clock, the days-remaining calculation, the band rule that selected the verdict, and the renewal-date subtraction. Nothing is sent off the page.

This is not an SSL validator. It does not contact your server, does not check the chain, the hostname, OCSP, or Certificate Transparency logs. It is date arithmetic on the expiry you supply.

Useful? Save this calculator: press Ctrl + D to bookmark it.

When to use this

The most common scenario: you have just been handed responsibility for a domain, an inbox, or an internal service, and you want to know how nervous to be about its certificate. Either you have the expiry date noted somewhere, or you can run openssl x509 -in cert.pem -noout -text against the certificate file. Paste either into the panel above and you have your answer in seconds, with the renewal date already on the calendar.

The other common scenario: you have a list of services, you have already pulled their certificates with whatever monitoring you use, and you want a quick sense check on one specific value. The bands here match the ones most monitoring tools use, so the verdict here will line up with the alert thresholds you already have.

Common mistakes

The first mistake is treating the expiry date as a hard deadline. It is not. Browsers begin showing warnings the moment the clock ticks past it, which means you should be deploying a new certificate hours or days earlier, not minutes. The second mistake is renewing the day before. Validation can fail. DNS records can be slow to propagate. Vendor sign-off can take a working day. Treat the renewal date this calculator gives you as the latest acceptable trigger, not the target.

The third mistake, a quieter one, is renewing on the same day every year and forgetting that calendar drift exists. A certificate issued on the 1st of March will not necessarily expire on the 1st of March: most CAs add a small grace buffer or align with their issuance window. Always read the actual expiry off the certificate, never assume it.

Edge cases

Short-lived certificates (Let's Encrypt's 90-day default, or the proposed 47-day baseline) shift the maths. The "30 days lead time" default makes less sense for a 90-day cert because you will spend a third of the cert's life inside the renewal window. For automated renewal pipelines, drop the lead time to 7 or 14 days. For wildcard or EV certificates that go through a slow procurement process, 60 days is sensible.

Internal certificates, signed by a private CA, work the same way for the maths but not for the consequences. An expired internal cert may not show a browser warning if the user is not pointing at it, but it will quietly break service-to-service authentication. Keep them in the same renewal calendar as your public certs, even though nobody outside the network will notice.

Time zones. Certificates use UTC. This calculator uses UTC. If your expiry says "23:59 on the 30th" in your local time and you are seven hours behind UTC, the actual expiry instant is the morning of the 31st in your local clock. Renew accordingly.

Related calculators

Cert expiry is one operational deadline. These cover the rest of the toolkit.

Frequently asked questions

Does this tool actually check my live SSL certificate?

No. This is a date-arithmetic helper, not an SSL validator. It does not contact your server, does not validate the chain, and does not check OCSP or CT logs. It takes an expiry date or a pasted certificate's text dump, and tells you how long is left and when to renew. For a live check, use openssl s_client -connect host:443 or a monitoring service.

Why 30 days as the default renewal lead time?

Thirty days is the threshold most operations teams use as their renewal trigger, and it is what most monitoring services flag at by default. It gives enough room to handle a failed validation, a delayed DNS change, or a vendor sign-off without anyone losing a weekend. If your renewal process is faster (Let's Encrypt with full automation), drop the lead time. If it is slower (corporate change-management for a wildcard cert), push it out to 45 or 60 days.

How does the PEM-paste mode work?

It does not parse the certificate's ASN.1 structure. It scans the text you pasted for the standard openssl text-dump line: Not After : Apr 28 12:00:00 2026 GMT, and reads the date from that line. So paste either the output of openssl x509 -in cert.pem -noout -text, or anything that contains that one line. If your tooling prints the validity in a different format, switch to date mode and type the expiry directly.

What do the urgency bands mean?

Negative days remaining is Expired (browsers will warn or block users). 0 to 7 days is Critical (renew today). 8 to 30 days is Warning (inside the standard renewal window). 31 to 60 days is Caution (worth scheduling). More than 60 days is Healthy. The bands are deliberately conservative: a certificate that expires on a Friday night with no on-call is the same problem whether it expires this week or next.

Does it handle short-lived certificates like Let's Encrypt's 90-day default?

Yes, but the default 30-day lead time is too generous for a 90-day cert. Drop the lead time to 7 or 14 days for any pipeline that renews automatically. The bands themselves still apply, and the days-remaining figure is unchanged.

Last updated 29 April 2026 by Andrew Laws.