SSL certificate renewal manager · commands + auto-renew + expiry
Stop letting certificates expire. Pick your ACME client and challenge, and this tool writes the full issue, renew, dry-run and auto-renewal schedule for certbot, acme.sh, lego, dehydrated, Caddy, cert-manager (Kubernetes), win-acme and Posh-ACME, ready to copy. The built-in expiry calculator tells you how many days are left and when to renew, and the openssl snippets check any live or local certificate, verify the chain, test OCSP stapling and even email you before it expires. Everything runs in your browser.
Tip: Let's Encrypt certificates are valid 90 days; renew at 60 days (30 left). Paste your certificate expiry date above, or read it with the openssl command in the “Check expiry” tab.
How certificate auto-renewal works
A TLS/SSL certificate is valid for a fixed window, 90 days for Let's Encrypt and ZeroSSL, longer for paid CAs. Auto-renewal means an ACME client checks daily and re-issues the certificate before it expires, then reloads your web server to pick up the new file. The renewal itself is the easy part; the two things that actually break in production are a missing reload hook (the new certificate sits on disk but the old one is still served) and a scheduler that silently stopped. This tool generates both the renewal command and the schedule, plus a dry-run so you can prove it works before you depend on it.
Pick the right ACME client
| Client | Best for |
|---|---|
certbot | The Let's Encrypt reference client on Linux with nginx/apache plugins. Installs its own systemd timer. |
acme.sh | Pure shell, no dependencies, huge list of DNS providers. Installs its own cron job. |
Caddy | Web server with automatic HTTPS built in. Nothing to schedule, it renews itself. |
win-acme | Windows and IIS. Creates a Windows Scheduled Task automatically. |
Posh-ACME | PowerShell module for Windows automation and DNS challenges. |
HTTP-01 vs DNS-01 validation
HTTP-01 proves control by serving a token over port 80, using the nginx or apache plugin, a webroot folder, or a standalone server. It is the simplest option but cannot issue wildcard certificates. DNS-01 proves control by creating a TXT record, which works behind a firewall and is the only way to get a wildcard (*.example.com). Choose DNS-01 with your provider plugin when you need a wildcard or your server is not reachable on port 80.
Frequently asked questions
How do I check when my SSL certificate expires?
For a live site, run echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate. For a local file, openssl x509 -enddate -noout -in cert.pem. Or paste the date into the calculator above to see the days remaining and the recommended renewal date. The “Check expiry” tab generates these commands for your domain.
When should a Let's Encrypt certificate be renewed?
Let's Encrypt certificates last 90 days. The clients renew automatically at around 60 days, leaving a 30-day safety margin. Renewing earlier than 30 days before expiry is a no-op unless you force it, so a daily timer that only acts when needed is the correct setup.
Why did my certificate expire even though auto-renew was set up?
The two usual causes are a stopped scheduler (check systemctl list-timers or your cron) and a renewal that succeeded but never reloaded the web server, so the old certificate kept being served. Always set a deploy or reload hook such as systemctl reload nginx, and test with the dry-run command this tool generates.
How do I test renewal without hitting rate limits?
Use the dry-run: certbot renew --dry-run for certbot, or issue against the staging endpoint for other clients. The dry-run uses the Let's Encrypt staging environment, so it does not count against the production rate limit and does not replace your live certificate.
Can I get a wildcard certificate this way?
Yes, but only with the DNS-01 challenge. Select DNS-01 and your provider above, then add a domain like *.example.com. The client creates a TXT record to prove control of the whole zone, which HTTP validation cannot do.
Is this tool safe to use with my domain details?
Yes. It runs entirely in your browser and only assembles command text from what you type; no domains, emails or keys are sent anywhere. Copy the commands and run them on your own server.
