SSL certificates have limited validity periods and must be renewed regularly to stay trusted by browsers. Public certificates issued after March 15, 2026 are limited to 200 days, with the maximum validity dropping to 100 days on March 15, 2027 and 47 days on March 15, 2029. Knowing exactly when a certificate expires helps you renew on time and avoid outages.
This guide shows you how to check certificate expiration with OpenSSL: for a live server, for a local file, and how to check whether a certificate is about to expire.
Quick answer:
For a live website, run:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -enddate.
For a certificate file, run:
openssl x509 -in your_certificate.pem -noout -enddate.
The notAfter value is the expiration date.
Method 1: Check a certificate on a live server
This method connects to a running website and reads the certificate it serves, you do not need the certificate file. It works for any reachable host (a remote domain, or localhost with the right port for a local server).
On Linux and macOS
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -enddate
Replace yourdomain.com with your actual domain. The commands are identical on macOS, since macOS is Unix-like (its built-in openssl is LibreSSL, which supports these options).
On Windows
- Open Command Prompt or PowerShell (press Win + R, type cmd or powershell, and press Enter).
- Run:
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>nul | openssl x509 -noout -enddate
On Windows, use 2>nul instead of 2>/dev/null to discard error messages.
Method 2: Check a certificate from a PEM file
A PEM file is a base64-encoded certificate that begins with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–. Use this method when you have the certificate file on disk.
On Linux and macOS
Move to the folder that holds your certificate, then read its end date (replace your_certificate.pem with your file name):
cd /path/to/your/certificate/directory
openssl x509 -in your_certificate.pem -noout -enddate
On Windows
cd C:\path\to\your\certificate\directory
openssl x509 -in your_certificate.pem -noout -enddate
Make sure OpenSSL is installed and on your PATH; otherwise, specify the full path to the openssl.exe binary.
See both dates, or check if a certificate expires soon
To see both the issue date (notBefore) and the expiry date (notAfter), use -dates instead of -enddate:
openssl x509 -in your_certificate.pem -noout -dates
To check whether a certificate will expire within a given window, use -checkend with a number of seconds (here, 2592000 seconds = 30 days):
openssl x509 -in your_certificate.pem -noout -checkend 2592000
It prints Certificate will not expire (and exits with status 0) or Certificate will expire (status 1) — which makes it ideal for monitoring scripts and cron jobs.
Understanding the command and output
Take the live-server command and its output as an example:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate
Output:
notAfter=Sep 15 23:59:59 2026 GMT
Here is what each part does:
- echo | — sends empty input so the command finishes without waiting for interaction.
- openssl s_client — opens an SSL/TLS connection to the server.
- -servername example.com — sets Server Name Indication (SNI), required when a server hosts multiple certificates for different domains.
- -connect example.com:443 — the host and port to connect to (port 443 is the standard HTTPS port).
- 2>/dev/null (Linux/macOS) or 2>nul (Windows) — discards error messages so only the relevant output is shown.
- | openssl x509 -noout -enddate — pipes the certificate into the x509 tool; -noout suppresses the PEM dump and -enddate prints only the expiry date.
- notAfter=… — the date and time the certificate stops being valid.
Automate it: stop tracking dates by hand
Rather than checking expiry dates manually, especially as validity periods shrink toward 47 days, you can use ACME as Certificate-as-a-Service (CaaS). It handles domain validation, installs certificates, and renews them automatically before they expire, so your site stays trusted without manual intervention.
Bottom line
OpenSSL checks certificate expiration in one line, from a live server with s_client, or from a file with x509 -enddate, while -dates and -checkend add the issue date and an expires-soon check. The notAfter field tells you exactly when to renew so you can avoid service disruptions. When you are ready to renew, browse our SSL certificates.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

