How to check SSL certificate expiration date command line? In this guide, you will learn how to check SSL certificate expiry date from the certificate file itself. SSL (Secure Socket Layer)/TLS (Transport Layer Security) certificates, are used to encrypt data exchanged between a website and its users. Thus being able to know the expiration date is important in protecting sensitive information such as passwords, credit card numbers, and other personal information from being intercepted by malicious actors.
Checking SSL Certificate Validity from Certificate File
So, how can you check SSL certificate expiry date/validity from the certificate file itself? Well, there are various ways in which you can monitor SSL/TLS certificate expiration date. For example, you can;
Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana
Monitor SSL/TLS Certificates Expiry with Nagios
However, there are some instances when maybe you just have the SSL/TLS certificate file and you want to find out the expiration date. This is where openssl command comes in handy.
openssl is a general-purpose SSL/TLS cryptographic command line tool that can be used to perform cryptographic operations such as:
- creating RSA, DH, and DSA key parameters;
- creating X.509 certificates, CSRs, and CRLs;
- calculating message digests;
- encrypting and decrypting with ciphers;
- testing SSL/TLS clients and servers;
- handling S/MIME signed or encrypted mail;
- and even checking the expiration dates of the SSL/TLS certificate files.
That being said, how can you use openssl command to check SSL certificate expiry date from certificate file?
SSL/TLS certificates uses X.509 digital certificates standard. Thus, if you want to use openssl command to check SSL certificate expiry date from the certificate file, you need to pass the x509 option;
openssl x509 [options]You can pass other options that enables you to via the status of the certificate file. To get the options, check the help information;
openss x509 -help
Usage: x509 [options]
Valid options are:
-help Display this summary
-inform format Input format - default PEM (one of DER or PEM)
-in infile Input file - default stdin
-outform format Output format - default PEM (one of DER or PEM)
-out outfile Output file - default stdout
-keyform PEM|DER|ENGINE Private key format - default PEM
-passin val Private key password/pass-phrase source
-serial Print serial number value
-subject_hash Print subject hash value
-issuer_hash Print issuer hash value
-hash Synonym for -subject_hash
-subject Print subject DN
-issuer Print issuer DN
-email Print email address(es)
-startdate Set notBefore field
-enddate Set notAfter field
-purpose Print out certificate purposes
-dates Both Before and After dates
-modulus Print the RSA key modulus
-pubkey Output the public key
-fingerprint Print the certificate fingerprint
-alias Output certificate alias
-noout No output, just status
-nocert No certificate output
-ocspid Print OCSP hash values for the subject name and public key
-ocsp_uri Print OCSP Responder URL(s)
-trustout Output a trusted certificate
-clrtrust Clear all trusted purposes
-clrext Clear all certificate extensions
-addtrust val Trust certificate for a given purpose
-addreject val Reject certificate for a given purpose
-setalias val Set certificate alias
-days int How long till expiry of a signed certificate - def 30 days
-checkend intmax Check whether the cert expires in the next arg seconds
Exit 1 if so, 0 if not
-signkey val Self sign cert with arg
-x509toreq Output a certification request object
-req Input is a certificate request, sign and output
-CA infile Set the CA certificate, must be PEM format
-CAkey val The CA key, must be PEM format; if not in CAfile
-CAcreateserial Create serial number file if it does not exist
-CAserial val Serial file
-set_serial val Serial number to use
-text Print the certificate in text form
-ext val Print various X509V3 extensions
-C Print out C code forms
-extfile infile File with X509V3 extensions to add
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
-extensions val Section from config file to use
-nameopt val Various certificate name options
-certopt val Various certificate text options
-checkhost val Check certificate matches host
-checkemail val Check certificate matches email
-checkip val Check certificate matches ipaddr
-CAform PEM|DER CA format - default PEM
-CAkeyform PEM|DER|ENGINE CA key format - default PEM
-sigopt val Signature parameter in n:v form
-force_pubkey infile Force the Key to put inside certificate
-next_serial Increment current certificate serial number
-clrreject Clears all the prohibited or rejected uses of the certificate
-badsig Corrupt last byte of certificate signature (for test)
-* Any supported digest
-subject_hash_old Print old-style (MD5) issuer hash value
-issuer_hash_old Print old-style (MD5) subject hash value
-engine val Use engine, possibly a hardware device
-preserve_dates preserve existing dates when signing
So our options of interest in checking SSL expiry date from the certificate file is;
-enddate: which shows expiry date of the certificate-in infile: specify the file you want to check.
So, for example, let’s assume we have an SSL cerificate file, kifarunix.com.crt, then you can check expiry date by running;
openssl x509 -enddate -in kifarunix.com.crtWhen it comes to SSL/TLS certificate files, most commonly, they are in PEM (Privacy Enhanced Mail) format, represented as ASCII text with common file extensions such as .pem, .crt, .cer, or .key file extension.
Sample output of the command above;
notAfter=May 25 23:59:59 2023 GMT
-----BEGIN CERTIFICATE-----
MIIFODCCBN6gAwIBAgIQCjdlgQ3agI7H1Otstj8MbjAKBggqhkjOPQQDAjBKMQsw
CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjIwNTI1MDAwMDAwWhcNMjMwNTI1
MjM1OTU5WjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEe
MBwGA1UEAxMVc25pLmNsb3VkZmxhcmVzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAEeAbRxvqt6Q+perH7k1nFVZxuUlAj5j39ov0MQurwzIVgw9ozEryE
n2Q3Ta4YXmLjB4Ap1nI3bqcRtFwCU1LrzKOCA3kwggN1MB8GA1UdIwQYMBaAFKXO
N+rrsHUOlGeItEX62SQQh5YfMB0GA1UdDgQWBBS3985hvwLoLud6u87feJ+lYe9M
njBABgNVHREEOTA3gg1raWZhcnVuaXguY29tgg8qLmtpZmFydW5peC5jb22CFXNu
aS5jbG91ZGZsYXJlc3NsLmNvbTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6Ly9jcmwz
LmRpZ2ljZXJ0LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0EtMy5jcmwwN6A1oDOGMWh0
dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0EtMy5jcmww
...
As you can see, the expiry date is given by;
notAfter=May 25 23:59:59 2023 GMTYou can also pass the -noout option to suppresses the output of the command and just print the expiry date.
openssl x509 -enddate -in kifarunix.com.crt -nooutOutput;
notAfter=May 25 23:59:59 2023 GMTWell, you can also connect to the site and check SSL expiry directly from the command line;
openssl s_client -connect kifarunix.com:443 -showcerts | openssl x509 -enddate -nooutAnd that is it on how to check SSL certificate expiry date from the certificate file itself.
Other Tutorials
Create Locally Trusted SSL Certificates with mkcert on Ubuntu 20.04
