Skip to Content

2 Ways to Check TLS Certificate expiration Date with OpenSSL Command

We can quickly solve TLS or SSL certificate issues by checking the certificate’s expiration from the openssl command line.

Today, let us see how to check certificate’s expiration date in 2 ways.

The first one is to check the certificate on remote server side. The second is to check the certificate by PEM files.

Check TLS/SSL certificate expiration date on Remote server

To check the SSL certificate expiration date, we can use the OpenSSL command-line client.

Initially, we check the expiration date of an SSL or TLS certificate.

To do so, we open the terminal application and run:

  • $ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
  • $ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates

Then to find out the expiration date for, we enter:

  • DOM=””
  • PORT=”443″
  • openssl s_client -servername $DOM -connect $DOM:$PORT | openssl x509 -noout -dates

Our output will show dates and other information:

  • depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
  • verify return:1
  • depth=1 C = US, O = “Cloudflare, Inc.”, CN = Cloudflare Inc ECC CA-3
  • verify return:1
  • depth=0 C = US, ST = California, L = San Francisco, O = “Cloudflare, Inc.”, CN =
  • verify return:1
  • notBefore=Nov 28 00:00:00 2021 GMT
  • notAfter=Nov 27 23:59:59 2022 GMT

In addition, we add the echo command to avoid pressing the CTRL+C.

Find expiration date from a PEM encoded certificate file

We can find the SSL certificate expiration date from a PEM encoded certificate file.

We query the certificate file for when the TLS/SSL certification will expire:

  • $ openssl x509 -enddate -noout -in {/path/to/my/my.pem}
  • $ openssl x509 -enddate -noout -in /etc/nginx/ssl/

notAfter=Nov 27 23:59:59 2022 GMT

In addition, we can check if the certificate expires within the given timeframe.

For example,

  • Find if the TLS/SSL certificate expires within the next 7 days (604800 seconds)
  • $ openssl x509 -enddate -noout -in my.pem -checkend 604800
  • Check if the TLS/SSL cert will expire in next 4 months #
  • openssl x509 -enddate -noout -in my.pem -checkend 10520000