TLS & certificates

TLS Certificate Expiry & Validity

Why an expiring or invalid TLS certificate breaks trust in your site, and how WebGuard tracks the renewal window before it lapses.

Last updated June 9, 2026

What it is

Every HTTPS site presents a TLS certificate that browsers use to confirm they are talking to the real domain over an encrypted connection. That certificate has a fixed validity window and must be renewed before it ends. WebGuard reads the certificate served on your public endpoints and checks how much of that window remains, whether the hostname and certificate chain are presented correctly, and whether secure delivery is consistently available.

Why it matters

A lapsed or misconfigured certificate is one of the fastest ways a public site loses customer confidence: browsers replace your page with a full-screen trust warning, and most visitors simply leave. Because renewals are easy to forget, certificate expiry is a recurring, entirely preventable outage. Catching it days ahead turns an incident into a routine task.

How WebGuard checks it

WebGuard connects to your verified domain exactly as a browser would, reads the presented certificate, and reports the days remaining and any chain or hostname mismatch. It is read-only: no certificate is modified, and nothing beyond the public endpoint is touched.

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.