SSL Certificate Renewal Manager
Build SSL/TLS renewal and auto-renew commands for certbot, acme.sh, lego, Caddy, win-acme and more, with HTTP-01, DNS-01 and an expiry calculator.
This SSL certificate renewal manager builds the issue, renew, dry-run and auto-renewal commands for certbot, acme.sh, lego, dehydrated, Caddy, cert-manager on Kubernetes, win-acme and Posh-ACME, all in your browser so your domains and email never leave the page. Pick a validation challenge (nginx or apache plugin, HTTP-01 webroot or standalone, or DNS-01 for wildcards), a DNS provider and a key type, then copy the ready commands plus the timer or cron that keeps the cert fresh. A built-in expiry calculator tells you the days left and the day you should actually renew, and the openssl snippets read any certificate, check the chain and watch OCSP stapling.
100% in your browser. Nothing you type ever leaves this page.
SSL certificate renewal manager · commands + auto-renew + expiry
An expired certificate is such a dumb way to take a site down. Avoidable, every time. So pick your ACME client, pick a challenge, and this thing spits out the full issue, renew, dry-run and auto-renewal schedule for certbot, acme.sh, lego, dehydrated, Caddy, cert-manager (Kubernetes), win-acme and Posh-ACME. Ready to paste. The expiry calculator does the boring math: days left, and the day you should actually renew. And the openssl snippets read any cert (live or sitting on disk), check the chain, poke at OCSP stapling, even nag you by email before the thing lapses. None of it leaves your browser.
Tip: Let's Encrypt certs live 90 days. Renew at 60 (so you have still got 30 in the tank if something goes sideways). Drop your expiry date in the box above, or pull it straight off the cert with the openssl line in the "Check expiry" tab.
How certificate auto-renewal works
An SSL certificate renewal manager exists because every TLS/SSL certificate has a shelf life. 90 days for Let's Encrypt and ZeroSSL, longer if you pay a CA for the privilege. Auto-renewal is just an ACME client waking up every day, checking the clock, and re-issuing before things lapse. Then it reloads your web server so the new file actually gets served. Issuing the cert? Easy. That part basically never breaks. What breaks, and I have watched it happen more than once, is the reload hook nobody wired up (fresh cert on disk, old one still going out to browsers) or a scheduler that quietly died months ago and nobody noticed. So this tool hands you the renewal command and the schedule both, plus a dry-run so you can prove the whole thing works before you trust it with anything that matters.
Pick the right ACME client
| Client | Best for |
|---|---|
certbot | The Let's Encrypt reference client on Linux with nginx/apache plugins. Installs its own systemd timer. |
acme.sh | Pure shell, no dependencies, huge list of DNS providers. Installs its own cron job. |
Caddy | Web server with automatic HTTPS built in. Nothing to schedule, it renews itself. |
win-acme | Windows and IIS. Creates a Windows Scheduled Task automatically. |
Posh-ACME | PowerShell module for Windows automation and DNS challenges. |
HTTP-01 vs DNS-01 validation
HTTP-01 proves you own the domain by serving a little token over port 80. You can do that through the nginx or apache plugin, or point it at a webroot folder, or just let the client spin up a standalone server for a second. Simplest path, honestly. The catch: it flat-out cannot do wildcards. DNS-01 proves the same thing a different way, by dropping a TXT record into your zone. That works even when the box is firewalled off, and it is the only route to a wildcard (*.example.com). So go DNS-01 with your provider plugin if you need that wildcard, or if port 80 just is not reachable from the outside.
Sources and further reading
- RFC 8555: Automatic Certificate Management Environment (ACME)
- Let's Encrypt: How It Works
- certbot documentation (EFF)
- RFC 5280: X.509 Certificate and CRL Profile
- CA/Browser Forum: Baseline Requirements
Frequently asked questions
How do I check when my SSL certificate expires?
Live site? Run echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate. Got the file locally instead, openssl x509 -enddate -noout -in cert.pem does it. Or skip the terminal entirely: paste the date into the calculator up top and it will tell you the days left plus when you ought to renew. The "Check expiry" tab builds these lines for your own domain, by the way.
When should a Let's Encrypt certificate be renewed?
90 days, that is the Let's Encrypt lifespan. The clients jump in around day 60 on their own, which buys you a 30-day cushion. Try to renew sooner than the 30-days-left mark and nothing happens, it is a no-op unless you force it. Which is exactly why a daily timer that only fires when there is actually work to do is the right call.
Why did my certificate expire even though auto-renew was set up?
Almost always one of two things. Either the scheduler quietly stopped (go check systemctl list-timers or your cron) or the renewal actually worked but nothing reloaded the web server, so it just kept handing out the stale cert. Wire up a deploy or reload hook like systemctl reload nginx and do not skip it. Then run the dry-run this tool spits out to confirm the loop closes.
How do I test renewal without hitting rate limits?
Dry-run it. certbot renew --dry-run if you are on certbot, or aim at the staging endpoint with whatever client you have got. The dry-run talks to the Let's Encrypt staging environment, so it will not eat into your production rate limit and will not touch your live certificate either. Test all you want.
Can I get a wildcard certificate this way?
You can, but DNS-01 is the only way in. Pick DNS-01 and your provider above, then toss in a domain like *.example.com. The client writes a TXT record to prove you control the entire zone, and that is a trick HTTP validation simply cannot pull off.
Is this tool safe to use with my domain details?
It is. The whole thing runs in your browser and all it does is stitch together command text from what you typed. Nothing gets sent anywhere, not your domains, not your email, not keys. Copy the commands out and run them on your own box.