SSL Certificate Validity Calculator
An SSL/TLS certificate validity calculator helps you track when your certificate expires, how many days remain, and when you should begin the renewal process. Since September 2020, publicly trusted certificates are capped at 398 days by major browser vendors. Expired certificates cause browser warnings that drive away visitors and can break API connections and automated services. Enter your certificate issue date and expiry date to see the total validity period, elapsed days, remaining days, percentage used, and a renewal urgency assessment. This is an essential daily-operations tool for web administrators, DevOps engineers, and site reliability teams managing multiple domains.
Validity calculation formula
Total days = expiry_date - issue_date (in days)
Elapsed = today - issue_date (in days)
Remaining = expiry_date - today (in days)
Percent used = (Elapsed / Total) * 100
Renewal is recommended when remaining days fall below 30. Many automated systems renew at 60 days remaining.
Renewal urgency thresholds
- More than 60 days remaining: No action needed - monitor regularly.
- 30 to 60 days remaining: Plan renewal soon - schedule now to avoid rushed action.
- 7 to 30 days remaining: Urgent - begin renewal process immediately.
- Fewer than 7 days remaining: Critical - outage risk if not renewed today.
- Expired: Certificate is no longer valid - browsers will block all visitors.
Frequently asked questions
How long can an SSL/TLS certificate be valid?
As of September 2020, publicly trusted SSL/TLS certificates issued by Certificate Authorities may not exceed 398 days in validity. Apple, Google, and Mozilla enforce this limit in their root stores. Shorter validity periods are a security measure to limit the window of exposure if a certificate is compromised.
When should I renew my SSL certificate?
Best practice is to renew at least 30 days before expiry. Many automated certificate management systems (like Let's Encrypt via Certbot) renew at 60 days before expiry to ensure a buffer in case of renewal failures. Waiting until the last week risks service outages if renewal encounters problems.
What happens when an SSL certificate expires?
Browsers will display a certificate error warning, blocking visitors from accessing your site unless they manually override it. Search engines may de-index expired-certificate pages, and many APIs and services will refuse to connect to endpoints with expired certificates.
Does the 398-day limit apply to all certificates?
The 398-day limit applies to publicly trusted certificates used for websites and public-facing services. Internal or private PKI certificates used within an organization are not subject to this limit, though keeping validity periods short remains best practice.
What is the difference between SSL and TLS?
SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security). SSL 2.0 and 3.0 are deprecated and insecure. Modern certificates use TLS 1.2 or TLS 1.3. The term 'SSL certificate' persists as industry shorthand for what is technically a TLS certificate.
Official sources
- CA/Browser Forum: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.
- NIST: SP 800-52 Rev 2 - Guidelines for TLS Implementations.
Reviewed by the CalculatorHub team, edited by James Graham, 14 June 2026. See our methodology.