What Happens When an SSL Certificate Expires (and How to Check)
When an SSL/TLS certificate expires, browsers stop trusting it and show a full-page "Your connection is not private" warning (NET::ERR_CERT_DATE_INVALID), blocking visitors before the site loads. The server still runs, but traffic, conversions, and API calls collapse until the certificate is renewed.
Certificate expiry is one of the most common — and most preventable — causes of website outages. Here's exactly what breaks, why, and how to stay ahead of it.
Why Certificates Expire at All
Every certificate has a validity window ("Not Before" and "Not After" dates). Expiry is a security feature: it limits how long a compromised key or outdated certificate can be abused, and forces periodic re-validation of domain ownership. Modern public certificates max out at 398 days, and automated issuers like Let's Encrypt use just 90 days.
What Actually Breaks When It Expires
The moment the "Not After" date passes:
- Browsers show a hard interstitial warning. Most users will not click through
NET::ERR_CERT_DATE_INVALID— they leave. - APIs and integrations fail. Any client that validates certificates (mobile apps, webhooks, server-to-server calls) throws TLS errors and stops working. Unlike browsers, they usually can't be "clicked through."
- SEO and ad traffic drop. Search crawlers and ad platforms may flag or stop sending traffic to an insecure site.
- Email/SMTP over TLS can fail if the mail server's certificate expired.
Crucially, the website itself isn't "down" — the server responds fine. The failure is purely the broken trust check, which makes expiry sneaky: monitoring that only pings for an HTTP 200 won't catch it.
How to Check When an SSL Certificate Expires
Check before it bites you. From the command line:
# Show the validity dates of a live site
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -dates
# Check a local certificate file
openssl x509 -in certificate.pem -noout -enddate
For a one-click check, paste a domain into our SSL Checker — it reports the expiration date, days remaining, the full chain, and whether the certificate matches the hostname. To inspect a certificate file's validity window directly, use the SSL Certificate Decoder.
How Long Does a New Certificate Take to Work?
Once you install a renewed certificate and reload the web server, it's live immediately — there's no DNS-style propagation delay. The common gotchas are:
- Forgetting to reload/restart the web server (Nginx, Apache) after installing.
- Installing the cert on only one server behind a load balancer.
- A broken intermediate chain — the new cert is valid but the chain is incomplete. Verify with the SSL Checker.
- A mismatched private key. Confirm the cert and key pair with the Certificate Key Matcher.
How to Prevent Expiry Downtime
- Automate renewal. Use
certbot(Let's Encrypt), ACME clients, or your cloud provider's managed certificates so renewal happens without humans. - Monitor expiry, not just uptime. Alert at 30, 14, and 7 days remaining.
- Track every certificate, including internal services, load balancers, and APIs — not just the main domain.
- Lower the renewal lead time so a failed auto-renew still leaves days to fix it manually.
Frequently Asked Questions
What happens when an SSL certificate expires? Browsers show a security warning and block the page, and any client that validates TLS (apps, APIs) fails to connect until you renew the certificate.
Will my website go down if the SSL expires? The server keeps running, but visitors are blocked by browser warnings and integrations break — so functionally, yes, the site becomes unusable.
How do I check when my SSL certificate expires?
Use openssl x509 -noout -enddate, your browser's certificate viewer, or an online SSL checker that reports the days remaining.
How long does a new SSL certificate take to work? It works immediately after you install it and reload the web server — there's no propagation delay like DNS.
Can I reuse an expired certificate? No. You must obtain a newly issued certificate; an expired one will always fail validation.
Related Reading
- SSL Certificate Chain Explained
- What Is an SSL/TLS Handshake?
- Fix "unable to get local issuer certificate"
Certificate expiry is 100% predictable — the date is printed right in the certificate. Automate renewal, monitor the "Not After" date, and you'll never explain an expiry outage again.