2 Ways to Check TLS Certificate expiration Date with OpenSSL Command

We can quickly solve TLS or SSL certificate issues by checking the certificate’s expiration from the openssl command line.

Today, let us see how to check certificate’s expiration date in 2 ways.

The first one is to check the certificate on remote server side. The second is to check the certificate by PEM files.

Check TLS/SSL certificate expiration date on Remote server

To check the SSL certificate expiration date, we can use the OpenSSL command-line client.

Initially, we check the expiration date of an SSL or TLS certificate.

To do so, we open the terminal application and run:

$ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
$ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates

Example:
Then to find out the expiration date for www.sslhow.com, we enter:

DOM=”www.sslhow.com”
PORT=”443″
openssl s_client -servername $DOM -connect $DOM:$PORT | openssl x509 -noout -dates

Our output will show dates and other information:

depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = “Cloudflare, Inc.”, CN = Cloudflare Inc ECC CA-3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = “Cloudflare, Inc.”, CN = www.sslhow.com
verify return:1
notBefore=Nov 28 00:00:00 2021 GMT
notAfter=Nov 27 23:59:59 2022 GMT

In addition, we add the echo command to avoid pressing the CTRL+C.

Find expiration date from a PEM encoded certificate file

We can find the SSL certificate expiration date from a PEM encoded certificate file.

We query the certificate file for when the TLS/SSL certification will expire:

$ openssl x509 -enddate -noout -in {/path/to/my/my.pem}
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/sslhow.com.fullchain.cer

notAfter=Nov 27 23:59:59 2022 GMT

In addition, we can check if the certificate expires within the given timeframe.

For example,

Find if the TLS/SSL certificate expires within the next 7 days (604800 seconds)
$ openssl x509 -enddate -noout -in my.pem -checkend 604800
Check if the TLS/SSL cert will expire in next 4 months #
openssl x509 -enddate -noout -in my.pem -checkend 10520000

SSL

Check SSL Encryption in Linux

ByDavid Cao December 6, 2021June 11, 2023

SSL encryption applies two keys named Public key and Private Key to encrypt connection. Both keys are similar in nature but their usage is different. Even these keys length may vary in terms of bits. The more the key is lengthy; it is hard to break it. The receiver uses public key to encode the…

SSL

Extract private key from pfx file with openssl pkcs12

ByDavid Cao December 13, 2021June 11, 2023

A PFX file is a certificate in PKCS#12 format. It contains the SSL certificate (public keys) and the corresponding private keys. Most of the Certificate Authorities will not issue certificates with the private key. They just issue and share the certificates in .cer, .crt, and .p7b formats which don’t have the private key in most…

SSL

4 Examples to Create Private Key with openssl genrsa

ByDavid Cao December 13, 2021June 11, 2023

Use the openssl genrsa command to generate an RSA private key. The generated RSA private key can be customized by specifying the cipher algorithm and key size. openssl genpkey vs genrsa The openssl genpkey utility has superseded the genrsa utility. While the genrsa command is still valid and in use today, it is recommended to…

SSL

Check SSL Certificate Chain Order with Openssl

ByDavid Cao November 28, 2021June 11, 2023

A SSL certificate chain is an ordered list of certificates, containing an SSL/TLS Certificate and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA’s are trustworthy. Each certificate contains information about its issuer. The issuer is the next link in the SSL chain. The SSL chain will be…

SSL

How to convert pfx to pem

ByDavid Cao December 13, 2021June 11, 2023

SSL

How to Fix UNPROTECTED PRIVATE KEY FILE

ByDavid Cao December 8, 2021June 11, 2023

Error message: david@daniel-Inspiron-531:~$ ssh-add david/.ssh/id_rsa@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: UNPROTECTED PRIVATE KEY FILE! @@@@@@@@@@@@@@@@@@@@@@@@@@@Permissions 0775 for ‘david/.ssh/id_rsa’ are too open.It is required that your private key files are NOT accessible by others.This private key will be ignored.david@daniel-Ins Understanding id_rsa Private Key File ~/.ssh/id_rsa Contains the private key for authentication. These files contain sensitive data and should be readable…

Check TLS/SSL certificate expiration date on Remote server

Find expiration date from a PEM encoded certificate file

Similar Posts

Leave a Reply Cancel reply