Automatically Detect Expiring HTTPS SSL Certificates

Date Published: 08 May 2019

Automatically Detect Expiring HTTPS SSL Certificates

All too often we hear about a site going down or suffering problems because they've let their public x509 certificate expire. SSL certificates, which are required for HTTPS to work for secure connections using TLS to domains, expire after a number of years. Often, the team or individual who purchased and installed the initial HTTPS certificate is no longer in that role by the time the expiration occurs. If the company hasn't put in place safeguards, or outsourced their SSL protection to a cloud service, they may not realize the certificate needs to be renewed until it's already expired.

I tweeted a tip about one way dev teams can help avoid this scenario, which got some traction (more RTs for reach appreciated):

Most dev and/or devops teams have automated tests running frequently. Typically these tests only run against the source code of the projects they're stored with, but there's nothing to prevent tests from making requests to real world resource, like your company's public web site. Production tests are similar to health checks and can inform the team when things have gone wrong, or will soon if left unchecked.

It's quite easy to configure a test that will run through one or more domains and will fail if any of their certificates are either currently invalid or are going to expire soon (say, within 30 days). When that test fails, it will alert the dev team that trouble is coming soon, and they can fix the problem or escalate it to whomever can fix it within the organization.

The Code

I wrote this up using my preferred platform of C#/xUnit/.NET Core, but if you have a similar approach using node or something else, please post your code in the comments or make a pull request to my GitHub repo.

xUnit code listing showing how to verify an SSL certificate has at least 30 days remaining.

Get the code at GitHub.com/ardalis/CertExpirationCheck

Get the Code

You can download or copy/paste the code from its GitHub repository. Be sure to give it a star if you found it helpful.

What Happens When It Expires?

Here is a short list of reasons why you don't want your certificate to expire:

Steve Smith

About Ardalis

Software Architect

Steve is an experienced software architect and trainer, focusing on code quality and Domain-Driven Design with .NET.