notAfter

NotAfter is a field in X.509 public key certificates that specifies the latest date and time at which the certificate is considered valid. Along with notBefore, which marks the start of the validity period, notAfter defines the certificate’s life span. The values are encoded in the certificate as time stamps, using UTCTime or GeneralizedTime, and are rendered in human-readable form in certificates and messages. In typical representations, notAfter is written as a timestamp such as 2025-12-31T23:59:59Z.

During certificate validation, the current time must satisfy notBefore <= now <= notAfter. If now > notAfter, the certificate

NotAfter is independent of revocation status; a certificate may be expired but not revoked, or valid but

In practical terms, notAfter is used by TLS libraries, browsers, and PKI tooling to determine whether a