Home

notAfter

NotAfter is a field in X.509 public key certificates that specifies the latest date and time at which the certificate is considered valid. Along with notBefore, which marks the start of the validity period, notAfter defines the certificate’s life span. The values are encoded in the certificate as time stamps, using UTCTime or GeneralizedTime, and are rendered in human-readable form in certificates and messages. In typical representations, notAfter is written as a timestamp such as 2025-12-31T23:59:59Z.

During certificate validation, the current time must satisfy notBefore <= now <= notAfter. If now > notAfter, the certificate

NotAfter is independent of revocation status; a certificate may be expired but not revoked, or valid but

In practical terms, notAfter is used by TLS libraries, browsers, and PKI tooling to determine whether a

is
expired
and
should
be
rejected
for
trust,
encryption,
or
authentication.
A
certificate
with
a
notAfter
earlier
than
its
notBefore
or
that
lacks
a
consistent
validity
window
is
considered
invalid.
revoked.
To
manage
lifecycle,
organizations
renew
or
reissue
certificates
before
notAfter
to
maintain
uninterrupted
service.
Some
clients
apply
a
small
clock-skew
tolerance
when
checking
notAfter
to
accommodate
time
synchronization.
certificate
should
be
accepted.
It
plays
a
central
role
in
certificate
expiration
alerts,
renewal
planning,
and
security
policy.
NotAfter,
together
with
notBefore,
forms
the
fundamental
validity
window
of
a
certificate.