When a TLS certificate expires, browsers show a full-page security error and block access to your site. Prevent it with automatic renewal and expiry monitoring that alerts you days in advance.
Every certificate has an expiry date. Once passed, browsers refuse to load the site. Because certificates now renew as often as every 90 days, automation and monitoring are the only reliable defence.
Check your website
See how your site handles certificate expiry: why it breaks sites and how to prevent it — free, no account needed.
For business owners
An expired certificate takes your entire site offline for every visitor at once, usually without warning, and often at the worst possible moment. It looks alarming to customers ("attackers may be trying to steal your information") and can halt sales instantly. It is also completely preventable — which makes it an especially damaging mistake to make.
How it works (technical)
Certificates carry notBefore and notAfter validity timestamps. After notAfter, TLS clients reject the certificate as expired. Automated issuance clients (ACME, e.g. Certbot) renew well before expiry — typically at one-third of the lifetime remaining — and reload the server automatically.
Monitoring adds a safety net: an independent check connects to your site, reads the certificate's expiry, and alerts if it falls below a threshold, catching cases where automated renewal silently failed.
Real-world example
A membership site used automated renewal but a server permission change stopped the renewal cron from restarting the web server. The certificate renewed on disk but the old one stayed loaded — then expired. External expiry monitoring caught the loaded certificate's date and alerted the team days before customers saw an error.
Why it matters
Certificate expiry is the number-one cause of avoidable HTTPS outages. Monitoring it is a core part of website trust and uptime, and it is exactly the kind of regression continuous monitoring is designed to catch.
How to fix it
Use automated (ACME) renewal so certificates renew without human action.
Ensure the renewal process also reloads/restarts the web server or load balancer.
Add independent certificate-expiry monitoring that alerts 14–30 days before expiry.
Verify the served certificate's date after each renewal, not just the file on disk.
Best practices
Alert on the certificate actually being served, not just the one stored on disk.
Monitor every hostname, including subdomains and APIs.
Keep a documented manual-renewal fallback in case automation fails.
Common mistakes
Relying on a calendar reminder instead of automation.
Renewing the file but forgetting to reload the server.
Monitoring only the main domain and missing an expired subdomain certificate.
Frequently asked questions
How early should expiry alerts fire?
At least 14 days before expiry, ideally 30, so you have time to fix a failed renewal before customers are affected.
Why are certificates getting shorter?
Shorter lifetimes limit the damage of a compromised key and push everyone toward automation, which is more reliable than manual renewal.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free