Skip to content Skip to site navigation Skip to service navigation

How Do I Know When the Certificate Will Expire?

Most monitoring systems (ex: Nagios, GCP, AWS, etc.) are able to monitor when certificates are expiring. Additionally, the UIT SSL team will attempt to notify the registered owner (through the email address provided when submitting the CSR) 60, 30, and seven days before it expires.

This is intended as a courtesy reminder. Users should not manage their certificates solely based on these reminder emails. In some cases, users have more than one certificate and UIT can not tell which certificate is in use, typos occurred in the contact email, or the email could not be delivered for other reasons.

UIT highly recommends monitoring client-facing endpoint. It is the responsibility of each owner to monitor the SSL expiration via their public endpoints.

The following is a quick example via the OpenSSL command:

openssl s_client -connect $ | openssl x509 -noout -dates

ex: openssl s_client -connect 2>/dev/null | openssl x509 -noout -dates

notBefore=Sep  4 00:00:00 2020 GMT

notAfter=Mar 13 23:59:59 2021 GMT

The above example is to check the dates of the certificate for "".  You can replace "www" with your own hostname.

Last modified February 16, 2021