Secure Sockets Layer (SSL) Expiry Checker

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Server certificates are digital credentials that identify a site and include a start and end date for their validity. An ssl certificate expiry checker helps you spot renewals in time so visitors are not greeted by warnings and teams avoid surprise outages.

You provide a URL or host and, if needed, a port or a custom name for the handshake, then read a clear “days left” figure with simple color cues. The result also shows the expiration timestamp in your locale, the identity fields, and robust fingerprints you can compare after a rotation.

Checking a public site can confirm that a new deployment picked up the fresh certificate and that the remaining days match expectations. If a number looks off, repeat later and compare results to rule out clock differences or transient network issues.

Expiry checks report the validity window only and do not prove trust or ownership, so treat the outcome as a scheduling aid rather than a security verdict. For consistent comparisons, run checks at a similar time of day and keep notes on ports and names used.

Technical Details:

The concept measured is a certificate’s validity period, specifically the interval between the current moment and the certificate’s “Not After” time. The computation returns an integer number of days remaining and flags negative values as already expired.

The tool obtains certificate metadata from a live handshake and derives the days remaining from timestamps, then surfaces identity fields such as Common Name and Subject Alternative Names along with strong SHA‑256 and SHA‑512 fingerprints for change tracking.

Results are interpreted with practical bands: values below zero indicate an outage risk, small positive values indicate a renewal window, and higher values indicate comfortable runway. Near the band edges, recheck to confirm because rounding is by ceiling.

Comparisons are valid per endpoint and port and depend on the presented certificate and server name used. Trust chains and revocation are not evaluated here, so treat the output as a time estimate tied to the observed endpoint.

\begin{array}{l} D & = & ceil (\frac{t_{to} - t_{now}}{86400000}) \end{array}

Symbols and units
Symbol	Meaning	Unit/Datatype	Source
D	Days to expiry	days (integer)	Derived
tto	“Not After” timestamp	ms since epoch	Certificate
tnow	Current time at evaluation	ms since epoch	Runtime
86400000	Milliseconds per day	ms	Constant

Worked example. Suppose the certificate’s Not After is 2025‑11‑20 12:00:00 UTC and the check runs at 2025‑11‑14 08:00:00 UTC. The difference is 6.166… days, so D becomes 7 by ceiling. Interpret as seven days remaining; recheck near renewal to confirm.

Interpretation bands
Threshold band	Lower bound	Upper bound	Interpretation	Action cue
Expired	−∞	−1	Certificate is past Not After.	Replace immediately.
Critical	0	14	Very short runway.	Prioritize renewal.
Warning	15	30	Approaching renewal.	Schedule change.
Healthy	31	∞	Comfortable runway.	Monitor routinely.

Validation & bounds extracted from code

Inputs and validation
Field	Type	Min	Max	Step/Pattern	Error text / Notes
URL or Host	string	—	—	Server accepts `[A‑Za‑z0‑9.-]` only; client extracts from URLs.	“Enter a valid URL or hostname.” Placeholder `https://example.com`. Extra lines are ignored with a notice.
Port	integer	1	65535	—	Neutral default is 443.
SNI override	string	—	—	Optional server name for handshake.	Leave blank to use the host; omitted for literal IPs.
Timeout (ms)	integer	0	15000	UI step 100	If omitted the helper uses 6000 ms; provided 0 is floored internally to at least 100 ms.

I/O formats

Input and output formats
Input	Accepted families	Output	Encoding / precision	Rounding
Host, Port, SNI, Timeout	URL or hostname; client accepts bracketed IPv6, server restricts to hostnames or IPv4	JSON with `host`, `ip`, `protocol`, `cipher`, `subject`, `cn`, `issuer`, `san[]`, `valid_from_ts`, `valid_to_ts`, `valid_from_local`, `valid_to_local`, `fingerprint256`, `fingerprint512`, `expired`, `days_left`	Timestamps in ms; fingerprints uppercase hex colon‑separated	Days by ceiling; negatives mean expired

Networking & storage behavior

Requests are POSTed to https://function.simplified.tools/check_ssl_expiration with JSON inputs. The helper performs a TLS handshake and returns normalized certificate fields.
CORS is granted only when the Referer host matches allowed values; preflight and a custom header may be enforced by server settings.
No persistent storage is used by the page; clipboard writes and file downloads occur only on explicit user action.

Security considerations

The handshake is read for metadata; trust chain validation is not enforced for this check.
Server Name Indication is sent when applicable; omitting it may yield a default certificate.
Results reflect the specific endpoint and port queried; intermediaries can present different certificates.

Assumptions & limitations

Heads‑up Hostnames are limited to letters, digits, dots, and hyphens on the helper.
Bracketed IPv6 inputs may parse in the page but are rejected by the helper’s hostname filter.
Days are rounded up; small positives near expiry can read as one day remaining.
Timeouts smaller than 100 ms are internally raised to 100 ms to avoid premature aborts.
Only the first 200 Subject Alternative Names are returned to keep responses compact.
DNS resolution returns a single address for display; multi‑IP hosts may vary by run.
Locale formatting for timestamps comes from the helper’s environment.
Gauge scaling adapts to days remaining; very high values compress visual differences.

Edge cases & error sources

Clock skew between client and server affects perceived days remaining.
Handshake without SNI can surface a different certificate than the site uses.
Self‑signed or expired certificates still return metadata but remain untrusted in browsers.
Revoked certificates are not detected because revocation is out of scope.
Unicode or IDNA hostnames are not accepted by the helper’s ASCII filter.
Large SAN lists are truncated; long values are joined for display.
High network latency may trigger timeouts; increase the timeout if needed.
Copy to clipboard may require user interaction due to permission policy.
Behind load balancers, different nodes may present different certificates.
Parsing inputs with ports or brackets differs between page and helper; prefer plain hostnames.

Scientific & standards backing

Certificate fields and validity windows follow the X.509 profile; transport security follows TLS with Server Name Indication. These concepts are defined in widely recognized standards and are implemented here for expiry time inspection.

Privacy & compliance

Hostnames you enter are sent to a helper endpoint for the handshake and parsing; no credentials are required and the page does not retain inputs beyond your session.

Step‑by‑Step Guide

Certificate expiry inspection reports days remaining and key identity fields from the presented certificate.

Enter a URL or host.
Optionally set a port and server name.
Run the check and read the days left figure.
Confirm the expiry timestamp and issuer details.
Compare fingerprints to verify post‑renewal rotation.

Note. If you see an unexpected certificate, set the server name to the intended host and retry.

For ongoing monitoring, run the same check periodically and log the days remaining.

FAQ

Is my data stored?

The page sends your inputs to a helper that performs the handshake and returns parsed fields. The page itself does not persist data beyond your session.

Clipboard and file downloads occur only when you choose to copy or save.

How accurate is “days left”?

It uses ceiling arithmetic on the difference between now and the Not After time. Near zero, small changes in time can move the count by a day.

What inputs are accepted?

Provide a URL or hostname. The helper accepts ASCII hostnames and IPv4; bracketed IPv6 and Unicode names are not supported by the helper filter.

Does this validate the trust chain?

No. It reads certificate metadata and expiry only. Use a separate audit if you need chain validation or revocation checks.

Why does it say expired but the site loads?

You may be checking a different host, port, or server name than the one your browser used, or an intermediary is presenting a different certificate.

Can I check a custom port?

Yes. Set the port within 1 to 65535. Use the server name field if the endpoint hosts multiple certificates.

How do I validate a CSR?

This page inspects live certificates from a handshake. It does not parse certificate signing requests.

Glossary

Not Before: Earliest time a certificate is valid.
Not After: Expiry time after which a certificate is invalid.
Common Name (CN): Primary identity label in the subject field.
Subject Alternative Name (SAN): List of additional DNS names or IPs covered.
Server Name Indication (SNI): Name sent during handshake to select the right certificate.
Fingerprint: Hex digest that uniquely identifies the certificate bytes.