SSL certificates have a validity period of just one year. If you don’t renew your certificate before the deadline, your website will become inaccessible to visitors because browsers will flag it as potentially vulnerable to security threats.
Knowing when your cert is due to expire will help you avoid unnecessary hassle and website outages. A quick way to examine your certificate’s lifespan is with a popular cryptographic library. This guide will show you how to check certificate expiration with OpenSSL. Follow the commands, and don’t let your SSL certificate’s validity period affect your website’s functionality.
OpenSSL Command to Check the Certificate Expiry Date
OpenSSL offers a few different commands to get the certificate expiration date. The specific command depends on the format of your certificate file and where it is stored. Here, we will cover the most common scenarios on Linux and Windows:
- Certificate Stored on a Server
- PEM Encoded Certificate File
Certificate Expiry Date OpenSSL Command Options
Checking the SSL certificate expiration date on a local server using OpenSSL is similar to checking it on a remote server. The difference is that instead of specifying a remote domain and port, you will use localhost and the appropriate port where your local server is running.
On Linux
Check SSL certificate expiration date in Linux command line:
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -enddate
Replace yourdomain.com with your actual domain name.
On Windows
- Open Command Prompt or PowerShell Press Win + R, type cmd or powershell, and press Enter.
- Run the OpenSSL command to check the certificate expiry date:
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>nul | openssl x509 -noout -enddate
Replace yourdomain.com with your actual domain name. The 2>nul part is used instead of
2>/dev/null to discard error messages in Windows.
On MacOS
Checking the SSL certificate expiration date on a macOS system is the same as on a Linux because both macOS and Linux are Unix-like operating systems. The commands and their usage are identical.
Analyzing the Command and Output
Now, let’s inspect each element within the command for a more technical understanding of how OpenSSL checks the validity period. Consider the following command:
echo | openssl s_client -servername example.com -connect example.com:443 2>nul | openssl x509 -noout -enddate
And the output:
notAfter=May 23 12:00:00 2025 GMT
Here’s what each part means:
- echo |: Sends an empty input to the OpenSSL s_client command. It ensures that the command completes without requiring user interaction.
- openssl s_client -servername example.com -connect example.com:443:
- openssl s_client: This command initiates an SSL/TLS connection to a remote server.
- -servername example.com: This option is used for Server Name Indication (SNI), which allows specifying the hostname during the SSL handshake. It’s necessary for servers hosting multiple SSL/TLS certificates for different domains.
- -connect example.com:443: Specifies the server and port to connect to. Port 443 is the standard port for HTTPS.
- 2>/dev/null (Linux) or 2>nul (Windows):
- Redirects standard error (stderr) to /dev/null (Linux) or nul (Windows), effectively discarding any error messages. It cleans up the output, showing only the relevant information.
- | openssl x509 -noout -enddate:
- The pipe (|) passes the previous command’s output as input to openssl x509.
- openssl x509: This command is used to manage X.509 certificates.
- -noout: Prevents the command from printing the certificate in PEM format.
- -enddate: Displays only the certificate’s expiration date.
- notAfter=May 23 12:00:00 2025 GMT:
- As explained earlier, it indicates the certificate will expire on May 23, 2025, at 12:00:00 GMT.
- As explained earlier, it indicates the certificate will expire on May 23, 2025, at 12:00:00 GMT.
How to Check the SSL Certificate Expiration Date from a PEM Encoded File
A PEM encoded file is a base64 encoded format with separators such as —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–. To check the expiry date of a PEM-encoded certificate file using OpenSSL, follow these steps:
On Linux and MacOS
- Open your terminal application.
Navigate to the Directory Containing Your PEM File. Use the cd command to change to the directory where your certificate file is located:
cd /path/to/your/certificate/directory - Use the following command to check the expiry date. Replace your_certificate.pem with your actual file name.
openssl x509 -in your_certificate.pem -noout -enddate
On Windows
- Open Command Prompt or PowerShell. Press Win + R, type cmd or powershell, and press Enter.
- Navigate to the Directory Containing Your PEM File. Use the cd command to navigate to the directory where your certificate file is located:
cd C:\path\to\your\certificate\directory - Use the following command to check the expiry date:
openssl x509 -in your_certificate.pem -noout -enddate
Ensure you have OpenSSL installed and added to your PATH. If not, you may need to specify the full path to the openssl.exe binary.
Bottom Line
You can check certificate expiration with OpenSSL on various platforms. Despite slight differences in command syntax due to operating system variations, the outputs of these commands provide crucial information about the expiration date of your SSL certificates.
The notAfter field specifically tells you the exact date and time when your certificate will no longer be valid. Monitoring this information allows you to renew your certificates in time to maintain secure communications and avoid service disruptions.
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10