diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index b710c17b9..0e9627f79 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -64,19 +64,23 @@ function nginxLocation(s) {
     return `~ ^(?!(${re.slice(1)}))`; // negative regex assertion - https://stackoverflow.com/questions/16302897/nginx-location-not-equal-to-regex
 }
 
-function getExpiryDateSync(cert) {
+function getCertificateDatesSync(cert) {
     assert.strictEqual(typeof cert, 'string');
 
-    const result = safe.child_process.spawnSync('/usr/bin/openssl', [ 'x509', '-enddate', '-noout' ], { input: cert });
-    if (!result) return null; // some error
+    const result = safe.child_process.spawnSync('/usr/bin/openssl', [ 'x509', '-startdate', '-enddate', '-noout' ], { input: cert, encoding: 'utf8' });
+    if (!result) return { startDate: null, endDate: null } ; // some error
 
-    const notAfter = result.stdout.toString('utf8').trim().split('=')[1];
+    const lines = result.stdout.trim().split('\n');
+    const notBefore = lines[1].split('=')[0];
+    const notBeforeDate = new Date(notBefore);
+
+    const notAfter = lines[1].split('=')[1];
     const notAfterDate = new Date(notAfter);
 
     const daysLeft = (notAfterDate - new Date())/(24 * 60 * 60 * 1000);
-    debug(`expiryDate: notAfter=${notAfter} daysLeft=${daysLeft}`);
+    debug(`expiryDate: notBefore=${notBefore} notAfter=${notAfter} daysLeft=${daysLeft}`);
 
-    return notAfterDate;
+    return { startDate: notBeforeDate, endDate: notAfterDate };
 }
 
 async function isOcspEnabled(certFilePath) {
@@ -252,8 +256,8 @@ function getAcmeCertificateNameSync(fqdn, domainObject) {
 function needsRenewalSync(cert) {
     assert.strictEqual(typeof cert, 'string');
 
-    const notAfter = getExpiryDateSync(cert);
-    const isExpiring = (notAfter - new Date()) <= (30 * 24 * 60 * 60 * 1000); // expiring in a month
+    const { endDate } = getCertificateDatesSync(cert);
+    const isExpiring = (endDate - new Date()) <= (30 * 24 * 60 * 60 * 1000); // expiring in a month
     debug(`needsRenewal: ${isExpiring}`);
     return isExpiring;
 }
@@ -584,10 +588,10 @@ async function cleanupCerts(locations, auditSource, progressCallback) {
         if (certNamesInUse.has(certName)) continue;
 
         const cert = await blobs.getString(certId);
-        const notAfter = getExpiryDateSync(cert);
-        if (!notAfter) continue; // some error
+        const { endDate } = getCertificateDatesSync(cert);
+        if (!endDate) continue; // some error
 
-        if (now - notAfter >= (60 * 60 * 24 * 30 * 6 * 1000)) { // expired 6 months ago and not in use
+        if (now - endDate >= (60 * 60 * 24 * 30 * 6 * 1000)) { // expired 6 months ago and not in use
             progressCallback({ message: `deleting certs of ${certName}` });
 
             // it is safe to delete the certs of stopped apps because their nginx configs are removed