SSL Certificate Expiry Calculator

Enter a certificate issue date and validity period to get the exact expiry date and days remaining, with a renewal-status warning. Runs in your browser.

Expires on
2027-06-25

Valid — 398 day(s) remaining

Public TLS certificates are capped at 398 days validity by the CA/Browser Forum. Set up renewal alerts well before expiry — an expired cert breaks HTTPS for every visitor.

About this tool

An expired TLS/SSL certificate breaks HTTPS for everyone — browsers show a full-page security warning and many APIs simply refuse to connect — so knowing exactly when a certificate lapses, and getting ahead of it, matters. This calculator takes the issue (or 'not before') date and the validity period in days and computes the precise expiry date and the number of days remaining from today, with a color-coded status that flags certificates already expired, expiring within two weeks, or due for renewal within a month. The default validity of 398 days reflects the current maximum lifetime the CA/Browser Forum allows for publicly trusted certificates; common alternatives like 90 days (Let's Encrypt) and one or two years are one tap away. The date math is exact and runs entirely in your browser — paste in the dates from your certificate to plan renewals without any lookup.

How to use it

  • Enter the certificate's issue ('not before') date.
  • Enter or pick the validity period — 90 days for Let's Encrypt, 398 for a typical commercial cert.
  • Read the exact expiry date and days remaining.
  • Schedule renewal well before the date the status turns amber or red.

Frequently asked questions

How is the expiry date calculated?
Expiry = issue date + validity period in days. Days remaining = expiry date minus today, rounded up. So a certificate issued today with a 90-day validity expires in 90 days.
Why is 398 days the maximum?
Since September 2020, the CA/Browser Forum limits publicly trusted TLS certificates to 398 days (about 13 months). Longer-lived public certs are no longer issued, which is why automated renewal has become standard practice.
How early should I renew?
Aim to renew with comfortable margin — at least 30 days before expiry for manual processes, and configure automated renewal (e.g. ACME/Let's Encrypt) to renew at roughly two-thirds of the lifetime. The status here turns amber at 30 days and red at 14.
What actually happens when a certificate expires?
Browsers display a "your connection is not private" interstitial and block the page by default; API clients and apps usually reject the connection outright. The site is effectively down for secure traffic until a valid certificate is installed.
Does this check a live certificate?
No — it calculates from the dates you enter, so it works offline and for planning. To read the real dates from a live site, inspect the certificate in your browser or with a command-line tool, then enter them here.
Is anything uploaded?
No. The calculation is done entirely in your browser from the dates you type, with no network request.

Related tools