How to check SSL certificate expiry on Nginx

Nginx serves the certificate referenced by ssl_certificate in your server block. You can check its expiry from the live endpoint or straight from the file on disk.

The universal way: openssl

This works regardless of where your certificate is served from. It opens a TLS connection and prints the validity dates of the certificate the server presents.

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \
  | openssl x509 -noout -dates -issuer -subject

Check the certificate file on disk

Find the ssl_certificate path in your server block (usually under /etc/nginx/), then read its dates directly. This is handy when the cert isn’t live yet.

grep -R "ssl_certificate" /etc/nginx/
openssl x509 -enddate -noout -in /etc/nginx/ssl/example.com.crt

Verify the full chain is served

A common Nginx mistake is pointing ssl_certificate at the leaf only, omitting the intermediate. Confirm the served chain is complete:

openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null

Don’t want to run this by hand every month?

SSLNudge checks Nginx endpoints daily and alerts you before expiry.

Monitor it free

Related errors

Tip: paste a hostname into the free SSL checker to see its expiry right now.