Most monitoring systems (ex: Nagios, GCP, AWS, etc.) are able to monitor when certificates are expiring. Additionally, the UIT SSL team will attempt to notify the registered owner (through the email address provided when submitting the CSR) 60, 30, and seven days before it expires.
This is intended as a courtesy reminder. Users should not manage their certificates solely based on these reminder emails. In some cases, users have more than one certificate and UIT can not tell which certificate is in use, typos occurred in the contact email, or the email could not be delivered for other reasons.
UIT highly recommends monitoring client-facing endpoint. It is the responsibility of each owner to monitor the SSL expiration via their public endpoints.
The following is a quick example via the OpenSSL command:
openssl s_client -connect $host.stanford.edu:443 | openssl x509 -noout -dates ex: openssl s_client -connect www.stanford.edu:443 2>/dev/null | openssl x509 -noout -dates notBefore=Sep 4 00:00:00 2020 GMT notAfter=Mar 13 23:59:59 2021 GMT
The above example is to check the dates of the certificate for "www.stanford.edu". You can replace "www" with your own hostname.
