Janitor
Start your free trial Start free
FeaturesHow it worksReportsPricing Log in Start your free trial

Technical explainers · · By The Janitor team

How to check and renew an SSL certificate

How to check an SSL certificate expiry and issuer, renew it before it lapses, and automate renewal so the padlock never breaks on a client site.

An expired SSL certificate is one of the most visible ways a website breaks. The padlock disappears, the browser throws a full-page warning and visitors leave. It is also completely avoidable. Here is how to check a certificate and renew it before it lapses.

What an SSL certificate does

An SSL, or more correctly TLS, certificate does two things: it encrypts traffic between the browser and the server, and it proves the site is who it claims to be. It is issued by a certificate authority, it covers one or more domains, and it has a fixed validity window. When that window ends, the certificate is no longer trusted and the browser warns the visitor.

How to check a certificate

There are a few ways to see a certificate’s details:

  • In the browser. Click the padlock in the address bar and view the certificate to see the issuer and the valid-from and valid-to dates.
  • With the free tool. The SSL certificate checker shows the issuer, the validity dates and how many days are left for any domain, without opening a terminal.
  • On the command line. openssl s_client -connect example.com:443 returns the live certificate and chain if you want the full detail.

The number to watch is days to expiry. Anything under 30 days needs action, and anything in the past means the site is already showing a warning.

How to renew it

How you renew depends on where the certificate comes from:

  • Automated (Let’s Encrypt and similar). Most modern hosts and CDNs issue and renew certificates automatically, often every 90 days. Renewal should be hands-off, but it can still fail silently, so confirm it actually happened.
  • Through your host or CDN. Many platforms manage certificates for you. Check the dashboard for the renewal status and that auto-renew is on.
  • Bought from a certificate authority. If you bought a multi-year certificate, you have to reissue and install it yourself before it expires.

After renewing, check the whole chain, not just the leaf certificate. A missing intermediate certificate can work in your browser but fail on other devices, which is a confusing problem to debug after the fact.

Automate it, then watch it

The goal is for renewal to be automatic and for you to be told if it ever fails. Automated issuance handles the first part. The second part, the watching, is where sites slip: auto-renew is on, everyone assumes it is fine, and then one renewal fails quietly and the certificate lapses.

A certificate is easy to renew and embarrassing to forget, especially on a client site you are paid to look after. Set a warning well before expiry rather than relying on the renewal just working.

Janitor checks SSL validity and expiry on every site you manage and warns you up to 30 days out, alongside domain expiry and the rest of the TLS and domain category, in a branded report. So a failed renewal reaches you, not your client.

Related

SSL certificate checkerDomain expiry checkerEvery check Janitor runs

Written by The Janitor team. Published 13 June 2026.

Get started

Monitor every client site, prove every retainer

Janitor runs around two dozen checks on every site you manage and turns them into a branded report.

Start your free trial See a sample report

30-day free trial. No credit card required.