SSL Certificates: What They Are, When They Expire, and What Happens If You Miss It

What is an SSL certificate?

An SSL certificate (technically TLS in modern usage, but SSL is the term that stuck) is a small digital file installed on your web server that does two things: it encrypts the connection between your server and your visitors' browsers, and it verifies that your website is genuinely operated by who it claims to be.

When visitors see the padlock icon in their browser address bar, that padlock is their confirmation that the connection is encrypted and the certificate is valid. The https:// in your URL depends on it.

SSL certificates are not permanent. They are issued for a fixed period — typically 90 days for free Let's Encrypt certificates, or up to 398 days for paid certificates — and must be renewed before they expire.

What happens when an SSL certificate expires

When your certificate expires, your website does not go down — but it becomes effectively inaccessible for most visitors.

Browser warnings. Chrome, Firefox, Safari, and Edge all display full-page warning screens when a visitor tries to access a site with an expired certificate. The warning is alarming — "Your connection is not private", "Attackers might be trying to steal your information" — and requires the visitor to click through multiple screens to proceed. Most people do not. They leave.

Search engine impact. Google has used HTTPS as a ranking signal since 2014. An expired certificate that breaks HTTPS will affect your search rankings. Sites that fall back to HTTP are penalised; sites that become inaccessible lose their position entirely.

Email deliverability. If your mail server uses a certificate for SMTP, an expired certificate can cause email delivery failures.

Broken integrations. Any API, webhook, or third-party service that connects to your site over HTTPS may start failing — payment processors, analytics, CRM integrations.

Customer trust. Even if a visitor does click through the warning, the experience is damaging. A business whose website shows a security warning is not a business most people want to hand their payment details to.

How to check your SSL certificate expiry date

In your browser

Click the padlock icon in the address bar when viewing your website. In Chrome, click "Connection is secure" → "Certificate is valid". The validity period and expiry date are shown.

In your terminal

echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

This returns the notBefore and notAfter dates for your certificate.

With Olimpio

An Olimpio scan checks your SSL certificate as part of the standard scan — flagging certificates that have expired or are expiring within 30 days as Medium or High severity findings, so you have time to act.

Why certificates expire in the first place

Certificate expiry exists for security reasons. Shorter lifetimes limit the damage from a compromised certificate — if a certificate is stolen or the associated private key is leaked, it is only valid for a limited period. The 90-day limit pushed by Let's Encrypt also encourages automation, which reduces human error.

The practical implication is that renewal needs to be either automated or carefully tracked. Manual renewal is fine for one certificate but breaks down when you have multiple domains or subdomains, or when the person who set it up leaves.

Free vs paid certificates

Let's Encrypt certificates are free, widely supported, and issued for 90 days with automated renewal available through most hosting platforms and tools like Certbot. For the vast majority of small businesses, Let's Encrypt is entirely appropriate.

Paid certificates (from providers like DigiCert, Sectigo, or GlobalSign) offer longer validity periods, different validation levels, and commercial support. They are worth considering if:

• You need an Extended Validation (EV) certificate — which shows your company name in the browser bar — for additional trust signals
• You need a wildcard certificate to cover unlimited subdomains under a single certificate
• Your hosting environment does not support Let's Encrypt automation

For most UK small businesses, a free Let's Encrypt certificate with automated renewal handles the requirement completely.

How to automate SSL renewal

Automated renewal is the right answer for most setups. A certificate that renews itself cannot expire unexpectedly.

Most managed hosting handles this automatically. Platforms like Netlify, Vercel, Cloudflare, and most cPanel-based hosts renew Let's Encrypt certificates automatically. Check your hosting provider's documentation to confirm it is enabled.

For self-managed servers, Certbot is the standard tool. Once installed and configured, it runs as a scheduled job and renews certificates before they expire:

certbot renew --quiet

Run this via cron twice a day — Let's Encrypt recommends this frequency so that if a renewal attempt fails, there is time to retry before expiry.

Setting up expiry monitoring

Even with automation in place, it is worth monitoring expiry dates. Automation can fail silently — a server restart that breaks the renewal cron job, a DNS change that causes domain validation to fail, a misconfigured redirect that prevents the ACME challenge from completing.

Set up a monitoring alert so you receive an email or notification when any certificate is within 30 days of expiry. Services like UptimeRobot offer this free. Olimpio's continuous scanning catches expiring certificates as part of regular security monitoring.

SSL and Cyber Essentials

An expired or expiring SSL certificate is flagged under Cyber Essentials Control 2 (Secure Configuration). Assessors check certificate validity as part of the evaluation. It is one of the easiest issues to find and one of the most avoidable — make sure your certificates are current before going through any formal assessment.

Scan your domain with Olimpio to check your SSL status, expiry date, and TLS configuration as part of a full external security review.