We can quickly solve TLS or SSL certificate issues by checking the certificate’s expiration from the openssl command line.
Today, let us see how to check certificate’s expiration date in 2 ways.
The first one is to check the certificate on remote server side. The second is to check the certificate by PEM files.
Check TLS/SSL certificate expiration date on Remote server
To check the SSL certificate expiration date, we can use the OpenSSL command-line client.
Initially, we check the expiration date of an SSL or TLS certificate.
To do so, we open the terminal application and run:
- $ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
- $ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
Example:
Then to find out the expiration date for www.sslhow.com, we enter:
- DOM=”www.sslhow.com”
- PORT=”443″
- openssl s_client -servername $DOM -connect $DOM:$PORT | openssl x509 -noout -dates
Our output will show dates and other information:
- depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
- verify return:1
- depth=1 C = US, O = “Cloudflare, Inc.”, CN = Cloudflare Inc ECC CA-3
- verify return:1
- depth=0 C = US, ST = California, L = San Francisco, O = “Cloudflare, Inc.”, CN = www.sslhow.com
- verify return:1
- notBefore=Nov 28 00:00:00 2021 GMT
- notAfter=Nov 27 23:59:59 2022 GMT
In addition, we add the echo command to avoid pressing the CTRL+C.
Find expiration date from a PEM encoded certificate file
We can find the SSL certificate expiration date from a PEM encoded certificate file.
We query the certificate file for when the TLS/SSL certification will expire:
- $ openssl x509 -enddate -noout -in {/path/to/my/my.pem}
- $ openssl x509 -enddate -noout -in /etc/nginx/ssl/sslhow.com.fullchain.cer
notAfter=Nov 27 23:59:59 2022 GMT
In addition, we can check if the certificate expires within the given timeframe.
For example,
- Find if the TLS/SSL certificate expires within the next 7 days (604800 seconds)
- $ openssl x509 -enddate -noout -in my.pem -checkend 604800
- Check if the TLS/SSL cert will expire in next 4 months #
- openssl x509 -enddate -noout -in my.pem -checkend 10520000