TLS certificate expiry calculator
Enter your certificate's issue and expiry dates to see days remaining, renewal deadline, and health status at a glance.
TLS certificate expiry calculator
Days remaining
Certificate lifetime
Today Renewal date
How this tool works
Days remaining = expiry date − today. Renewal date = expiry − your chosen buffer. The bar shows the full validity period: green is the safe window before the renewal zone, amber is the renewal buffer window, and red indicates the certificate has expired. The dot marks today; the vertical line marks where the renewal window starts.
About this tool
Enter your TLS certificate's issue and expiry dates to see days remaining, when to renew, and overall health. Configure your renewal buffer to match your deployment cadence. Colour-coded status flags expired, renewal-due, and healthy certificates. No certificate data leaves your browser.
Frequently asked questions
What renewal buffer should I use?
30 days is the standard for Let's Encrypt auto-renewal — Certbot, Caddy, and acme.sh all default to renewing when 30 days remain. For manually managed certificates, 45–60 days gives comfortable lead time to generate, validate, and deploy without a late-night scramble. Enterprise pipelines with change-control processes often use 60–90 days.
What is the maximum TLS certificate validity period?
Since September 2020, browser-trusted TLS certificates are capped at 398 days (~13 months). Let's Encrypt issues 90-day certificates by design — short lifetimes force automation and reduce the exposure window of a compromised key. Commercial CAs issue certificates up to 1 year for the maximum browser-accepted validity.
My site still works but this shows Expired — why?
CDNs and reverse proxies (Cloudflare, Fastly, AWS CloudFront) terminate TLS at the edge with their own certificates, independent of your origin. Your origin cert may be expired while the CDN edge cert is still valid. Check the certificate presented directly by the origin server, bypassing any proxy, to verify.
What should I do when a certificate expires?
Issue a new certificate (or let your ACME client do it automatically), install it on all servers in the pool, and reload any web servers or proxies that cache the cert. For Let's Encrypt with a properly configured renewal daemon, expiry should never happen — if it does, check that the renewal cron job or systemd timer is running.