SSL Expiry Reminder
Paste a PEM certificate and we extract its notAfter date via our hand-rolled X.509 parser, compute days-till-expiry, and generate a downloadable `.ics` calendar reminder you can drop into Google Calendar, Outlook or Apple Calendar. Pick the lead time (7 / 14 / 30 / 60 / 90 days before) and alarm offset. 100% offline.
What is the SSL Expiry Reminder?
SSL Expiry Reminder builds on the hand-rolled X.509 parser used in the SSL Certificate Checker. Paste a PEM certificate (or use the sample) and we walk the ASN.1 DER to extract the subject CN and the notAfter date. The days-till-expiry counter updates live as you paste. Pick a lead time (7 / 14 / 30 / 60 / 90 days before expiry — 30 is the default since it gives breathing room for renewal QA without being too far out) and an alarm offset (1 hour before, 9 hours, 1 day, or 1 week — defaults to 9 hours so the reminder fires at start-of-workday the day before). The output is an RFC 5545-compliant `.ics` file with: a unique UID per cert, the cert's subject in the summary, the expiry date in the description, an all-day VEVENT, and an embedded VALARM. The file is line-folded at 73 octets per the spec, uses CRLF line endings, and parses cleanly in Google Calendar, Outlook (desktop + web + 365), Apple Calendar, and Fastmail. Download the file or copy the raw .ics text to clipboard.
How to use it
- Paste your PEM certificate (the `-----BEGIN CERTIFICATE-----` block).
- Read the headline: subject CN and days till expiry, colour-coded green / amber / red.
- Pick the lead time — how many days before expiry should the reminder fire?
- Pick the alarm offset (when on the reminder day the alert should pop).
- Click 'Download .ics' to save the file, then drop it into your calendar app (or use 'Copy .ics' to paste it elsewhere).
Benefits
- Builds on the same hand-rolled X.509 parser used in the Certificate Checker — no external crypto libraries.
- Days-till-expiry computed live as you paste.
- Headline colour-coded — green (>60d), amber (14-60d), red (<14d or expired).
- Lead-time presets at 7 / 14 / 30 / 60 / 90 days.
- Alarm offset at 1 hour / 9 hours / 1 day / 1 week before the reminder day.
- RFC 5545-compliant .ics — line-folded, CRLF, VALARM embedded.
- Tested against Google Calendar, Outlook (desktop + web + 365), Apple Calendar, Fastmail.
- Subject CN used as the reminder title — so multiple certs are easy to tell apart in your calendar.
- Runs 100% in your browser.
Frequently asked questions
How does it know the expiry date?
By parsing the certificate's ASN.1 DER (after base64-decoding the PEM) and reading the `validity.notAfter` field. The parser handles both UTCTime (pre-2050) and GeneralizedTime formats.
Can I add multiple reminders at once?
Currently one cert per .ics. To add a second, paste a different cert and download a second .ics. Most calendar apps merge multiple .ics imports cleanly.
What if my cert is already expired?
The days-till-expiry shows a negative number and the headline turns red. You can still generate a reminder for a renewal date in the future by adjusting the lead time, though the calendar reminder will be for a date in the past.
Why is 30 days the default lead time?
Realistic renewal cadence: 30 days gives you time to coordinate, QA the new cert, and roll it out without a panic. 90 days is too long (you'll forget); 14 days is too short for ops teams with change windows.
What does the VALARM do?
It's the calendar's built-in reminder. Google Calendar will pop a notification, Outlook will pop a notification, Apple Calendar plays a sound. The TRIGGER is relative to the event start (`-PT9H` = 9 hours before).
Why all-day instead of timed?
Cert renewals aren't tied to a specific hour. An all-day event shows up cleanly on month/week views and doesn't block your work day.
Will the same UID conflict in my calendar?
The UID is `ssl-<subject>-<expiry-timestamp>@toollyz.com`. Two reminders for the same cert generated on different days share the same UID, so calendar apps treat them as an UPDATE rather than a duplicate.
Can I edit the reminder text?
Not in the UI — but the downloaded .ics is plain text. Open it in any editor before importing if you want to tweak the SUMMARY or DESCRIPTION.
Does it support automated calendars (CalDAV)?
Not currently — you import the .ics file manually. CalDAV automation would require a server and your credentials, which Toollyz doesn't have.
What's the .ics file size?
About 600-800 bytes — tiny.
Is anything uploaded?
No. PEM parsing and .ics generation run entirely in your browser.
Related tools
See all developer toolsSSL Certificate Checker
Paste PEM — parse X.509 v3, days-till-expiry, SAN, key bits, SHA-256 fingerprint.
SPF Record Checker
Parse RFC 7208 SPF records — qualifiers, mechanisms, 10-lookup limit.
DKIM Record Checker
Paste DKIM TXT — validate tags, RSA key length, allowed hashes + service types.
DMARC Record Checker
Paste DMARC TXT — validate policy, alignment, percentage, report URIs; 0-100 score.