• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

SSL Certificate Expiration and SSL Certificate Renewal

October 4, 2021 by Mister PKI Leave a Comment

SSL Certificate expiration will occur after the not_after date on the certificate is passed. Now that most of the web is encrypted and depends on SSL certificates, one single expired SSL certificate can cause outages that affect millions of people at once. Or, it may only affect a few people, but the service behind the certificate may be a critical one that you or your business cannot afford to let expire.

Why do SSL certificates expire? They expire to enforce a best practice of key rotation at best and requiring system administrators to pay attention the the security of the system at worst. Keys can be compromised or over time become weak in comparison to advances in computing power, and should be renewed or replaced when necessary. An expiration date on a certificate ensures that the security of the system will at least be on someone’s radar.

SSL Certificate Renew

How to Renew an SSL Certificate

How to SSL Certificate Renewal? SSL Certificate renewal can be either a simple, straight foward, routine practice or can be cumbersome depending on your experience with SSL certificates and experience with the servers the certificates are installed on. To renew SSL Certificate without downtime, make sure to monitor your certificate expiration dates or set up automated renewal.

If your SSL Certificate has expired, you may find yourself asking how to renew. That is probably why you are here in the first place. You will first need to buy a new certificate and then install it on your server. You can buy a new SSL certificate by clicking here:

SSL/TLS Certificate (468 x 60)

SSL Certificate Expiration Monitoring

To monitor SSL certificate expiration, many systems administrators will simply set a calendar reminder. While this is old school, it is an effective measure. Additionally, you can routinely use our SSL Certificate Decoder tools to check the certificate validity dates or use the openssl and keytool commands written about below.

Automated certificate renewal with ACME is becoming an industry standard, so if you are able to use a Certificate Authority (CA) that supports the ACME protocol, like Sectigo, that is also a good route to replace monitoring with automated renewal.

Comodo SSL Certificate 250x250Square

Certificate Transparency tools are another option for monitoring the expiration of SSL Certificates. More information can be obtained through our article on Certificate Transparency monitoring. SSL Certificate Expiration monitoring is a critical operation in today’s infrastructure and should be prioritized near the top with other critical services. To be safe, action should be taken at least 30 days in advance of the SSL certificate expiration date.

Read our article on how to keytool list certificate expiration date to monitor SSL certificate expiration manually.

SSL Certificate Expiration Check

How to Check SSL Certificate Expiration Date

The certificate expiration date of an SSL Certificate can be checked with openssl, keytool, or even in your browser’s certificate viewer. You can upload your certificate in question to our Certificate Decoder tool and view the parsed certificate data to see when the certificate will expire and other information about the certificate.

An alternate and more hands on approach is monitoring SSL Certificate expiration by showing the certificate data with either keytool or openssl in a script that will send alerts upon an expiring certificate.

If the certificate is installed in a keystore, you can display the expiration date by listing the keystore contents.

With keytool:

keytool -list -v -keystore example.p12 

will display the expiration date in the the Valid from: field. For more information on the keytool list command visit our keytool list certificate article.

To view the certificate expiration date with openssl, run:

openssl x509 -in example.com.crt -text -noout

For a full description of how to view a certificate with openssl, visit our openssl view certificate article.

SSL Certificate Expired Fix

In order to fix an expired SSL certificate, it must first be renewed. If renewed with the same Certification Authority (CA) and having the same chain, the end entity server certificate can simply be replaced with the new certificate. Depending on your server software and configuration, this is done differently. If you would like to see examples of how to install certificates in a specific server (Apache, nginx, etc.) let us know in the comments. Some configurations also allow you to simply install the certificate and private key in a PKCS12 keystore. As always, follow the instructions given with your server type and configuration.

How long do SSL Certificates last?

Do SSL Certificates expire? SSL certificates most certainly expire, and the expiration date is defined on the not_after attribute in the certificate.

Technically there is no limit on the validity period of a certificate.

Root CA Certificate: Common to see 10-20 year validity periods.

Intermediate CA Certificate: Common to see 5-10 year validity periods.

End Entity Server Certificate: Publicly trusted certificates have a max validity period of 398 days set by the CA/Browser Forum. Server certificates issued by a private Certificate Authority (CA) ma be longer.

Client Certificates: Common to see anywhere from 1 minute to 2 years.

Conclusion

Thank you for reading our post on SSL Certificate Expiration and how to renew an SSL Certificate. Please leave a comment with any questions or comments.

SSL Certificates

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • pfx password
  • pkcs12
  • Sendmail vs Postfix – Mail Transfer Agent Comparison
  • Python mock datetime now
  • Python get SSL Certificate

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022