Check SSL Certificate Expiry Date from Certificate File

Last Updated:
Check SSL Certificate Expiry Date from Certificate File

How to check SSL certificate expiration date command line? In this guide, you will learn how to check SSL certificate expiry date from the certificate file itself. SSL (Secure Socket Layer)/TLS (Transport Layer Security) certificates, are used to encrypt data exchanged between a website and its users. Thus being able to know the expiration date is important in protecting sensitive information such as passwords, credit card numbers, and other personal information from being intercepted by malicious actors.

Checking SSL Certificate Validity from Certificate File

So, how can you check SSL certificate expiry date/validity from the certificate file itself? Well, there are various ways in which you can monitor SSL/TLS certificate expiration date. For example, you can;

Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana

Monitor SSL/TLS Certificates Expiry with Nagios

However, there are some instances when maybe you just have the SSL/TLS certificate file and you want to find out the expiration date. This is where openssl command comes in handy.

openssl is a general-purpose SSL/TLS cryptographic command line tool that can be used to perform cryptographic operations such as:

  • creating RSA, DH, and DSA key parameters;
  • creating X.509 certificates, CSRs, and CRLs;
  • calculating message digests;
  • encrypting and decrypting with ciphers;
  • testing SSL/TLS clients and servers;
  • handling S/MIME signed or encrypted mail;
  • and even checking the expiration dates of the SSL/TLS certificate files.

That being said, how can you use openssl command to check SSL certificate expiry date from certificate file?

SSL/TLS certificates uses X.509 digital certificates standard. Thus, if you want to use openssl command to check SSL certificate expiry date from the certificate file, you need to pass the x509 option;

openssl x509 [options]

You can pass other options that enables you to via the status of the certificate file. To get the options, check the help information;

openss x509 -help

Usage: x509 [options]
Valid options are:
 -help                      Display this summary
 -inform format             Input format - default PEM (one of DER or PEM)
 -in infile                 Input file - default stdin
 -outform format            Output format - default PEM (one of DER or PEM)
 -out outfile               Output file - default stdout
 -keyform PEM|DER|ENGINE    Private key format - default PEM
 -passin val                Private key password/pass-phrase source
 -serial                    Print serial number value
 -subject_hash              Print subject hash value
 -issuer_hash               Print issuer hash value
 -hash                      Synonym for -subject_hash
 -subject                   Print subject DN
 -issuer                    Print issuer DN
 -email                     Print email address(es)
 -startdate                 Set notBefore field
 -enddate                   Set notAfter field
 -purpose                   Print out certificate purposes
 -dates                     Both Before and After dates
 -modulus                   Print the RSA key modulus
 -pubkey                    Output the public key
 -fingerprint               Print the certificate fingerprint
 -alias                     Output certificate alias
 -noout                     No output, just status
 -nocert                    No certificate output
 -ocspid                    Print OCSP hash values for the subject name and public key
 -ocsp_uri                  Print OCSP Responder URL(s)
 -trustout                  Output a trusted certificate
 -clrtrust                  Clear all trusted purposes
 -clrext                    Clear all certificate extensions
 -addtrust val              Trust certificate for a given purpose
 -addreject val             Reject certificate for a given purpose
 -setalias val              Set certificate alias
 -days int                  How long till expiry of a signed certificate - def 30 days
 -checkend intmax           Check whether the cert expires in the next arg seconds
                            Exit 1 if so, 0 if not
 -signkey val               Self sign cert with arg
 -x509toreq                 Output a certification request object
 -req                       Input is a certificate request, sign and output
 -CA infile                 Set the CA certificate, must be PEM format
 -CAkey val                 The CA key, must be PEM format; if not in CAfile
 -CAcreateserial            Create serial number file if it does not exist
 -CAserial val              Serial file
 -set_serial val            Serial number to use
 -text                      Print the certificate in text form
 -ext val                   Print various X509V3 extensions
 -C                         Print out C code forms
 -extfile infile            File with X509V3 extensions to add
 -rand val                  Load the file(s) into the random number generator
 -writerand outfile         Write random data to the specified file
 -extensions val            Section from config file to use
 -nameopt val               Various certificate name options
 -certopt val               Various certificate text options
 -checkhost val             Check certificate matches host
 -checkemail val            Check certificate matches email
 -checkip val               Check certificate matches ipaddr
 -CAform PEM|DER            CA format - default PEM
 -CAkeyform PEM|DER|ENGINE  CA key format - default PEM
 -sigopt val                Signature parameter in n:v form
 -force_pubkey infile       Force the Key to put inside certificate
 -next_serial               Increment current certificate serial number
 -clrreject                 Clears all the prohibited or rejected uses of the certificate
 -badsig                    Corrupt last byte of certificate signature (for test)
 -*                         Any supported digest
 -subject_hash_old          Print old-style (MD5) issuer hash value
 -issuer_hash_old           Print old-style (MD5) subject hash value
 -engine val                Use engine, possibly a hardware device
 -preserve_dates            preserve existing dates when signing

So our options of interest in checking SSL expiry date from the certificate file is;

  • -enddate: which shows expiry date of the certificate
  • -in infile: specify the file you want to check.

So, for example, let’s assume we have an SSL cerificate file,, then you can check expiry date by running;

openssl x509 -enddate -in

When it comes to SSL/TLS certificate files, most commonly, they are in PEM (Privacy Enhanced Mail) format, represented as ASCII text with common file extensions such as .pem, .crt, .cer, or .key file extension.

Sample output of the command above;

notAfter=May 25 23:59:59 2023 GMT

As you can see, the expiry date is given by;

notAfter=May 25 23:59:59 2023 GMT

You can also pass the -noout option to suppresses the output of the command and just print the expiry date.

openssl x509 -enddate -in -noout


notAfter=May 25 23:59:59 2023 GMT

Well, you can also connect to the site and check SSL expiry directly from the command line;

openssl s_client -connect -showcerts | openssl x509 -enddate -noout

And that is it on how to check SSL certificate expiry date from the certificate file itself.

Other Tutorials

Create Locally Trusted SSL Certificates with mkcert on Ubuntu 20.04


We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
Linux Certified Engineer, with a passion for open-source technology and a strong understanding of Linux systems. With experience in system administration, troubleshooting, and automation, I am skilled in maintaining and optimizing Linux infrastructure.

Leave a Comment