SSL certificate expiry: why it matters and how to stay ahead
An SSL certificate is what puts the padlock in the address bar and the s in https. It encrypts traffic between the browser and your server, and it proves to visitors that they are talking to the real site and not an impostor. Every certificate has an expiry date, and when that date passes, the certificate stops being trusted.
Here is the part that catches people out: nothing warns you the day before. The certificate is valid right up until the moment it is not, and then every visitor hits a full-page security warning at the same time. This guide covers what breaks, why it breaks so completely, and how to make sure you are never the last to know.
What breaks when a certificate expires
Once the certificate lapses, browsers stop trusting the connection and throw a full-screen warning instead of loading the page. Most visitors will not click past a scary red screen telling them the site is not secure, so for practical purposes the site is down. Traffic, signups, and sales stop until the certificate is renewed.
It hits more than human visitors. API clients and integrations that verify certificates will refuse to connect, so anything depending on your endpoints breaks too. Search engine crawlers can also struggle to fetch pages over a broken connection, and a site that sits in this state long enough risks losing the ranking advantage that HTTPS normally gives it.
SSL expiry is not the same as domain expiry
Two separate clocks are ticking, and people often confuse them. The SSL certificate expiry is when the encryption certificate stops being valid. The domain expiry is when your registration of the domain name itself runs out.
Both can take a site offline, but they renew through different providers and on different schedules. Your certificate might come from Let's Encrypt while your domain sits with a separate registrar. Letting the domain lapse is the more dangerous of the two, because once it drops, someone else can register it. Track both, and treat them as independent deadlines.
Why auto-renewal is not the whole answer
Plenty of certificates renew automatically. Let's Encrypt issues 90-day certificates specifically so they renew often through automation, and many hosts handle it for you. That is genuinely good, but it is not a reason to stop watching.
Automation fails quietly. A renewal cron job breaks after a server update, a domain validation check stops resolving, an account payment lapses, or a config change points the renewal at the wrong host. The renewal that was supposed to happen does not, and you find out when the warnings start. Auto-renewal lowers the odds of expiry; it does not remove the need to confirm it actually happened.
How to check a certificate
You can inspect a certificate by hand. Click the padlock in your browser, open the certificate details, and read the valid-to date. That works for a quick one-off check on a single host.
A checker tool is faster and gives you more in one place: the days remaining until expiry, the authority that issued the certificate, and the domain registration expiry alongside it. Reading the issuer is worth a moment too, because a sudden, unexpected change of issuer can hint at a reissue or misconfiguration you did not order.
Stay ahead with monitoring
The reliable fix is to stop relying on memory. Set up monitoring that watches your certificate and tells you a set number of days before it expires, so a renewal that quietly failed becomes an alert in your inbox instead of an outage on your homepage.
Pick a warning window that gives you time to act. Two weeks is a sensible floor; thirty days is more comfortable if a renewal needs manual steps or approvals. Point the monitor at both the certificate and the domain registration, since the same logic applies to both deadlines.
Frequently asked questions
- What happens the moment my SSL certificate expires?
- Browsers immediately stop trusting the connection and show a full-page security warning instead of your site. Most visitors will not click through it, so the site is effectively offline until you renew. API clients that verify certificates also stop connecting.
- How is SSL expiry different from domain expiry?
- SSL expiry is when your encryption certificate stops being valid. Domain expiry is when your registration of the domain name lapses. Both can take a site down, but they renew through different providers, so you need to track them separately.
- Doesn't auto-renewal mean I never have to worry about this?
- Auto-renewal helps a lot but is not foolproof. Renewal jobs break after server changes, validation checks fail, and payments lapse. The renewal silently does not happen and you only find out when the warnings appear, so it is worth monitoring even with automation in place.
- How many days before expiry should I get an alert?
- Two weeks is a reasonable minimum. Thirty days gives more breathing room if renewing involves manual steps or approvals. Set the alert on both the certificate and the domain registration so neither deadline catches you out.
Related tools
Related guides
Put this guide to work on your own site
Sitewell’s free tools run the exact checks covered above — no signup, results in seconds.