There are three ways to check an SSL certificate's expiry date, and they don't all show you the same thing. The distinction matters: a certificate can exist on disk with months left while the server serves a different one that's about to expire.
Here's each method, what it actually checks, and when to use it.
Method 1: Browser (Fastest for a Quick Check)
Click the padlock icon in your browser's address bar. In Chrome and Edge, choose "Connection is secure" then "Certificate is valid." In Firefox, choose "Connection secure" then "More information" then "View Certificate."
The certificate panel shows the issuer, subject domains, and validity period. The "Not valid after" or "Expires" field is the expiry date.
What this checks: the certificate your browser session received from the server. For a single domain you can visit, this is a fast sanity check.
Limitations: it only works for domains you can open in a browser, and it shows what that one browser received — not necessarily what other clients, regions, or Cloudflare see. Also, different browsers cache differently, so a recently renewed certificate may not show in all sessions immediately.
Method 2: openssl Command Line (Most Accurate)
The openssl command performs a live TLS handshake and returns the certificate the server is actively serving:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>/dev/null \
| openssl x509 -noout -datesOutput looks like this:
notBefore=Jan 1 00:00:00 2026 GMT
notAfter=Oct 1 00:00:00 2026 GMTThe notAfter line is the expiry. The -servername flag is required — without it, a server hosting multiple certificates (SNI) may return the wrong one for your domain.
For a one-liner that returns just the expiry date:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>/dev/null \
| openssl x509 -noout -enddateWhy this matters more than checking files on disk: if a certificate renewed but the server was never reloaded, the cert file on disk shows a future expiry date — everything looks fine. The openssl command shows what's actually being served over the wire. So does Cloudflare. So does every visitor's browser. A mismatch between the two is exactly the condition that produces a Cloudflare 526 error.
Method 3: Online Tool (No Terminal Required)
If you don't have terminal access, or you're checking a domain on infrastructure you don't own, an online SSL checker runs the same TLS handshake from an external network and returns the expiry date.
The ExpiryPing SSL checker checks the live certificate on any public hostname — enter the domain, get the expiry date and days remaining. No account required.
The external check is also worth running even when you do have terminal access. It confirms what visitors and Cloudflare see from outside your network — catching the renewed-but-not-reloaded case that an on-server openssl check would miss.
What "Days Remaining" Actually Means
Most tools show days remaining alongside the raw expiry date. The calculation uses UTC, not local time. A certificate that expires at midnight UTC on July 1st is already expired in UTC at 11:59 PM local time on June 30th in any timezone west of UTC.
This matters when a countdown shows "1 day remaining" and you're cutting it close.
Checking Multiple Domains
The methods above work for spot checks. For ongoing visibility across more than a handful of domains, manual checks don't hold up — you'd need to remember to run them regularly, and you need lead time, not just a current reading.
ExpiryPing runs the same external TLS check daily for every domain you add and sends alerts at 30, 14, 7, and 1 day before expiry. Email and Slack. No credentials, no server access, no agent to install — it only needs the hostname, same as the openssl command.
Free for up to 3 domains. Paid plans from $19/month for up to 10.
A one-time check tells you where things stand today. Monitoring tells you before the next expiry becomes a problem.