How to check TLS/SSL certificate expiration date from command-line

You can check the expiration date of a TLS/SSL certificate from the command line using the “openssl” tool. Here’s an example command that checks the expiration date of a certificate for the domain “example.com”:

openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates

The “-connect” option specifies the domain and port to connect to. The “-servername” option is used for servers that host multiple domains on the same IP address. The “2>/dev/null” at the end of the command suppresses any error messages.

The output of the command will show the “notBefore” and “notAfter” fields, which indicate the start and expiration dates of the certificate, respectively. The date format is in the format of “Mon DD HH:MM:SS YYYY GMT”

You can also use the following command which is more concise and uses the date command to format the output

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate | awk '{print $4,$5,$7}' | date -f - +%Y-%m-%d

This command will return the expiration date of the certificate in the format “YYYY-MM-DD”.

You can also use the openssl x509 -checkend option, which returns the number of seconds till the certificate expires.

openssl x509 -checkend 864000 -noout -in certificate.crt

This command will return a value indicating whether the certificate is expired or not.

You can also use other tools like “curl” and “gnutls-cli” to check the expiration date of a certificate, which works the same way.

Please note that you can check the expiration date of the certificate from the local file system if you have the certificate in your machine by replacing the -connect and -servername options with -in option.

openssl x509 -noout -enddate -in /path/to/certificate.crt

It will return the expiration date of the certificate in the format “notAfter=MMM DD HH:MM:SS YYYY GMT”

Leave a Comment