SSL Expiry Checker

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Transport Layer Security certificates are X.509 documents that let clients confirm a site’s identity and protect data in transit. When people say SSL certificate, they mean the same thing for modern HTTPS. Use this page to understand validity windows and renewal timing, and to check SSL certificate expiry date for a website before it affects users.

You enter a hostname or a full link, optionally include a port or a Server Name Indication value, and receive the not before and not after timestamps with an exact days‑to‑expiry counter. You also see the subject common name, issuer, negotiated protocol, and cryptographic fingerprints so you can compare environments without guessing.

For example, a certificate that ends in nine days shows a prominent red state, while one due in twenty five days appears as a caution band. Treat the result as a renewal signal rather than a full security audit. Only open destinations you trust and avoid exposing internal names if confidentiality matters.

If you manage several endpoints, keep the host format consistent to avoid duplicate tracking. Prefer the exact hostname that users visit so the reported expiry mirrors production behavior. When wildcard or Subject Alternative Name entries exist, group renewals by domain to reduce maintenance churn.

Technical Details:

The checker sends a single request to a helper service with the host, port, optional Server Name Indication, and a timeout hint. The response includes certificate fields and a UNIX‑epoch timestamp for the not after value. Days remaining are computed deterministically from the timestamp and the current clock, then visualized with a gauge whose scale adapts to the result. Status bands reflect simple time thresholds and do not imply chain quality, hostname coverage, or policy compliance.

Core Equation

\begin{array}{lcl} days & = & ⌈ \frac{t {expire}_{ms} - t {now}_{ms}}{86, 400, 000} ⌉ \end{array}

Symbols & Units

Variables and their meanings
Symbol	Meaning	Unit/Datatype	Source
`t_expire ms`	Certificate not after as UNIX epoch	milliseconds	Response
`t_now ms`	Current time when computed	milliseconds	Client clock
`days`	Rounded‑up days until expiry	integer	Derived

Interpretation & Thresholds

Status bands by days remaining
Threshold Band	Lower Bound	Upper Bound	Interpretation	Action Cue
Expired	−∞	−1	Certificate is past not after	Renew immediately
Urgent	0	14	Within two weeks	Prioritize renewal
Soon	15	30	Renewal window is approaching	Schedule renewal
OK	31	∞	Plenty of time	Monitor as usual

Bands guide urgency only. They do not reflect chain trust, hostname coverage, or key strength.

Parameters

Inputs and behavior
Parameter	Meaning	Unit/Datatype	Typical Range	Sensitivity	Notes
Host	Hostname or URL	string	Single host	High	Multiple lines are trimmed to the first non‑blank line.
Port	TLS port	integer	1–65535	Medium	443 by default; a port in the input overrides the field.
SNI	Server Name Indication	string	blank or hostname	Medium	Blank uses the host value.
Timeout	Connection timeout hint	milliseconds	0–15000	Low	0 delegates to a neutral default on the helper.

Constants

Constants used by calculations and visuals
Constant	Value	Unit	Source	Notes
`DAY_MS`	86 400 000	ms	Client	Milliseconds per day
`URGENT_DAYS`	14	days	Client	Red band upper bound
`SOON_DAYS`	30	days	Client	Amber band upper bound
`GAUGE_MIN`	60	days	Client	Minimum gauge span
`GAUGE_MAX_CAP`	825	days	Client	Maximum gauge span
`GAUGE_PAD`	+30	days	Client	Headroom added above current value

Units, Precision & Rounding

Days remaining is an integer using round up to the next whole day.
“Expires today” appears when the computed days equal zero.
Displayed timestamps use a human‑readable local format supplied by the helper.
Decimal separator is a period when numbers are shown.

Validation & Bounds

Field validation and limits
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
URL or Host	text	—	—	`^[A-Za-z0-9.\-:$begin:math:display$$end:math:display$]+$` after scheme removal; supports `host:port` and `[IPv6]:port`	Enter a valid URL or hostname.	https://example.com
Port	number	1	65535	step 1	—	—
SNI override	text	—	—	blank or hostname	—	—
Timeout (ms)	number	0	15000	step 100; 0 delegates to helper default	—	—

Heads‑up If your input contains multiple lines, only the first non‑blank line is processed and the rest are ignored with a notice.

I/O Formats

Inputs and outputs
Input	Accepted Families	Output	Encoding/Precision	Rounding
Host	HTTP(S) URL, hostname, `host:port`, `[IPv6]:port`, `mailto:` stripped	Table of fields	Text	—
Export (table)	Copy or download	CSV	UTF‑8	Exact values, SANs joined by spaces
Export (full)	Copy or download	JSON	2‑space indentation	Days are integers

Networking & Storage Behavior

Sends one POST request from your browser to a helper service with host, port, optional SNI, and timeout.
Receives a JSON payload containing certificate details and a not after timestamp.
No sign‑in or API keys are required.
State may be reflected in the page URL as query parameters.

Performance & Complexity

Computation on the client is O(1); overall latency is dominated by the network round trip.
Gauge rendering scales with a single value and is lightweight.
Timeouts are clamped to 0–15 000 ms.

Diagnostics & Determinism

Deterministic for identical inputs and timestamps.
Error surface includes “Lookup failed.”, “No certificate details returned.”, and “Network error contacting the helper.”
Hover tooltips explain fields and defaults.

Security Considerations

Hostname validation is basic and ASCII‑only; internationalized names are not processed.
Results indicate expiry timing only and do not verify chain trust or hostname binding.
Avoid probing confidential internal hosts if disclosure is a concern.

Worked Example

Scenario: Now is 2025‑09‑26 10:00. The certificate not after time is 2025‑10‑01 09:00.

\begin{array}{lcl} Δt & = & 4.958 days \\ days & = & ⌈ 4.958 ⌉ = 5 \end{array}

The display shows “5 days” and the status band is red for urgent renewal.

Assumptions & Limitations

Heads‑up Single‑host input; extra lines are ignored with a notice.
ASCII hostnames only; no IDNA conversion.
Chain validation and policy checks are out of scope.
Only expiry timing is interpreted; other fields are shown verbatim.
Gauge scale adapts and may cap at an upper bound.
Client clock drift near boundaries can change the rounded day.

Edge Cases & Error Sources

Unicode or emoji in hostnames is rejected.
Malformed URLs that cannot be parsed fall back to simple heuristics.
Trailing dots are removed from hostnames.
IPv6 must use brackets when combined with a port.
Ports outside 1–65535 are clamped or rejected.
Timeouts above 15 000 ms are clamped.
Network failures or helper outages surface as explicit errors.
Near midnight, rounding up can advance the day count earlier than expected.

Scientific & Standards Backing

X.509 certificate validity uses not before and not after fields defined by public‑key infrastructure standards. TLS provides the secure channel for HTTPS, and the handshake negotiates the protocol version surfaced here as an informational value.

Privacy & Compliance

A hostname, port, optional Server Name Indication, and a timeout hint are sent from your browser to a helper service to perform the check. No secrets are required. Avoid submitting sensitive internal names if confidentiality policies apply.

Step‑by‑Step Guide:

Follow these quick steps to check expiry and export results.

Enter a hostname or URL.
Optionally set port and SNI.
Choose a timeout if needed.
Run the check and review days to expiry.
Export CSV or JSON if you need a record.

Example: https://example.com:8443 with SNI example.com returns the not after date, days remaining, issuer, and fingerprints.

You now have a clear renewal timeline and portable evidence for tickets or change records.

Copy the table for pasting into a tracker.
Use JSON when automating with scripts.

Pro tip: put the port in the address if it differs from 443, or you will be prompted to confirm the detected value.

FAQ:

Is my data stored?

The hostname, port, optional SNI, and a timeout hint are sent to a helper to perform the check. No account or key is required, and the page keeps no server‑side session.

Avoid submitting confidential internal names.

How accurate is the day count?

It rounds up to the next whole day from your current clock. If the certificate ends later today, you may see “1 day.” Near midnight this can change as the clock advances.

Exact timestamps are shown alongside days.

Which units and formats appear?

Days are integers. Timestamps appear in a readable local format from the helper. CSV uses UTF‑8 with two columns, and JSON includes inputs, an overview, and full data.

Subject Alternative Names are space‑separated in the table export.

Does this verify the full chain?

No. It surfaces expiry timing and related fields. Chain trust, hostname binding, and policy checks remain the responsibility of your certificate management process.

Can I run it offline?

No. A network call to a helper service performs the lookup and returns the certificate details.

Can I check non‑443 ports?

Yes. Enter a port in the field or include it in the address. If a port is detected in the input, the page uses that value and shows a notice.

Does it support IPv6?

Yes for addresses like [2001:db8::1]:443. Internationalized domain names are not supported.

Use brackets for IPv6 when a port is present.

Troubleshooting:

“Enter a valid URL or hostname.” means the input was empty or contained unsupported characters.
“Lookup failed.” indicates an unsuccessful helper response.
“No certificate details returned.” means the helper responded without a not after timestamp.
“Network error contacting the helper.” suggests connectivity or helper issues.
If nothing appears, ensure only one host line is present.

Blocked by a firewall or corporate proxy can prevent lookups. Try again from a network that allows outbound TLS.

Advanced Tips:

Tip Track days across environments using the JSON export to spot drift.
Tip Use SNI when a shared IP serves multiple hostnames.
Tip Schedule renewals when the band turns amber to avoid emergency windows.
Tip Keep the exact hostname users visit to align with real traffic paths.
Tip Store exports alongside change tickets for audit trails.

Glossary:

TLS: Protocol securing transport for HTTPS.
X.509: Certificate format with validity fields.
Not Before: Earliest time a certificate is valid.
Not After: Time after which a certificate is invalid.
SNI: Server Name Indication sent in TLS.
CN: Common Name in the subject field.
SAN: Subject Alternative Name entries.
Fingerprint: SHA‑256 or SHA‑512 digest of a certificate.
Hostname: Label that identifies a network endpoint.
Timeout: Maximum wait for a connection attempt.