Certificate Expiry Calculator
TLS certificate expiry is a leading cause of preventable website outages and security incidents. This calculator takes a certificate's not-after date and computes the number of days remaining until expiry, the renewal urgency status, and the expiry date in a human-readable format. Best practice is to renew TLS certificates at least 30 days before expiry; automated tools like Let's Encrypt renew at 30 days by default. Certificates issued under the CA/Browser Forum Baseline Requirements (enforced by major browser root programs) cannot exceed 398 days of validity.
Certificate expiry formula
Days remaining = expiry date - today
Total validity = expiry date - issue date
Percent used = (today - issue date) / total validity × 100
CA/Browser Forum Baseline Requirements cap maximum TLS certificate validity at 398 days. Certificates from Let's Encrypt expire in 90 days. Renewal is typically automated via ACME protocol clients (certbot, acme.sh) to avoid human error.
Certificate renewal urgency thresholds
- More than 90 days remaining: valid, no action needed.
- 30 to 90 days remaining: renewal window open, schedule renewal soon.
- Less than 30 days remaining: urgent, renew immediately to avoid outage.
- Less than 7 days remaining: critical, risk of service disruption imminent.
- Expired: certificate is invalid; all TLS connections will fail with certificate error.
Certificate expiry calculator: frequently asked questions
How long are TLS certificates valid?
As of 2020, the maximum certificate validity period is 398 days (about 13 months), as enforced by Apple, Google, and Mozilla in their root certificate programs. The CA/Browser Forum baseline requirements mandate this limit. Certificates issued before 2020 could be valid for up to 825 days.
When should I renew my TLS certificate?
Best practice is to renew when at least 30 days of validity remain. Many organizations renew at 60 to 90 days out to allow time for validation, deployment, and unexpected issues. Automated tools like Let's Encrypt's certbot renew at 30 days by default.
What happens if a TLS certificate expires?
Browsers show a security warning and block access to the site unless users click through the warning. Search engines may demote the site. APIs and services calling the expired certificate will fail with SSL errors. Certificate expiry is one of the most common causes of preventable outages.
What is the CA/Browser Forum maximum certificate validity?
The CA/Browser Forum Baseline Requirements cap DV, OV, and EV certificate validity at 398 days. Some Certificate Authorities issue shorter-lived certificates by default. Let's Encrypt issues certificates valid for 90 days, encouraging frequent automated renewal.
How do I find my certificate's expiry date?
In a browser, click the padlock icon and view the certificate details. On Linux, use: openssl s_client -connect example.com:443 | openssl x509 -noout -dates. On Windows, use the MMC certificate snap-in or PowerShell: (Get-ChildItem Cert:\LocalMachine\My).NotAfter.
Official sources
- CA/Browser Forum Baseline Requirements for TLS Server Certificates: cabforum.org.
- NIST SP 800-52 Rev 2 Guidelines for TLS Implementations: csrc.nist.gov.
Reviewed by the CalculatorHub team, edited by James Graham, 15 June 2026. See our methodology.