How to check SSL certificate expiry on AWS

AWS Certificate Manager (ACM) auto-renews certificates it issued and that are in use — but imported certificates do NOT auto-renew, and a renewal can silently fail if DNS validation records were removed.

List ACM certificates and their expiry

Use the AWS CLI to list certificates and inspect a specific one’s NotAfter.

aws acm list-certificates --query 'CertificateSummaryList[].CertificateArn'
aws acm describe-certificate --certificate-arn <ARN> \
  --query 'Certificate.{Domain:DomainName,NotAfter:NotAfter,Status:Status,RenewalEligibility:RenewalEligibility}'

The universal way: openssl

This works regardless of where your certificate is served from. It opens a TLS connection and prints the validity dates of the certificate the server presents.

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \
  | openssl x509 -noout -dates -issuer -subject

Don’t want to run this by hand every month?

SSLNudge checks AWS endpoints daily and alerts you before expiry.

Monitor it free

Related errors

Tip: paste a hostname into the free SSL checker to see its expiry right now.