OpenSSL check certificate expiration date is a quick process using command-line tools. Administrators use OpenSSL to view when SSL certificates will expire by entering specific commands in the terminal. The basic command “openssl s_client -connect domain.com:443 | openssl x509 -noout -dates” shows certificate validity periods. For local certificate files, users run “openssl x509 -in certificate.pem -noout -dates” to display expiration information. These OpenSSL commands help website owners track certificate status and plan renewals. The process requires basic terminal knowledge and returns clear expiration dates for SSL certificates.
Why Use OpenSSL for SSL Certificate Checks?
OpenSSL is the most reliable tool for openssl check certificate expiration because it:
- Works on all operating systems (Linux, Windows, macOS)
- Provides exact expiration timestamps
- Allows automation through scripts
- Verifies certificates even when browsers show errors
A Step-by-Step Guide to View SSL Certificate Expiration Date Using OpenSSL Commands
- Check Local Certificate Files
- Check Remote Server Certificates
- Verify Certificate Validity Period
- Check Intermediate & Root Certificates
Method 1: Check Local Certificate Files
If you have a certificate file (.pem, .crt, .cer), use this command for openssl get certificate expiration date:
openssl x509 -enddate -noout -in certificate.pem
This returns the “notAfter” date, which is the expiration timestamp.
Method 2: Check Remote Server Certificates
To openssl check cert expiration for a live website without downloading files:
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
- notBefore→ Certificate issuance date
- notAfter→ ssl certificate expiration date
Method 3: Verify Certificate Validity Period
Need to confirm if a certificate is currently active? Use:
openssl x509 -checkend 86400 -noout -in certificate.pem
- Nothing → Certificate is valid for at least 24 hours (86400 seconds)
- “Certificate will expire” → Renewal needed
Method 4: Check Intermediate & Root Certificates
Some SSL errors occur due to expired intermediates. To openssl check certificate validity for the full chain:
openssl s_client -showcerts -connect example.com:443 </dev/null
Look for each “notAfter” date in the output.
Automating Expiry Checks with Scripts
For servers with multiple certificates, automate openssl get expiration date checks with:
#!/bin/bash echo "Checking SSL expiry for example.com..." expiry=$(openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2) echo "Expires on: $expiry"
Add this to a cron job for proactive monitoring.
Troubleshooting OpenSSL Certificate Checks
1. “unable to load certificate” Error
- Ensure the file is in PEM format
- Convert .cer to .pem if needed:
openssl x509 -inform der -in certificate.cer -out certificate.pem
2. “verify error” During Remote Checks
- The server may be using an untrusted certificate
- Add -verify_return_error for detailed debugging
3. “certificate has expired” Warning
- Confirms the certificate expiration date has passed
- Immediate renewal required
Advanced: Checking Certificate Fingerprints
For security audits, verify fingerprints with:
openssl x509 -noout -fingerprint -sha256 -in certificate.pem
Final Thoughts
The process of checking SSL certificate expiration dates through OpenSSL serves as a critical step for website security maintenance and preventing website downtime. The guide explained the essential commands, which start from local certificate file inspection and end with remote server expiration verification. The OpenSSL tool enables users to perform exact control during both error troubleshooting and script-based automation. Users should actively track their certificates while establishing alert systems for renewal processes.
Frequently Asked Questions (FAQs)
How do I check when my SSL certificate expires?
Users can check SSL certificate expiration using the OpenSSL command: openssl x509 -enddate -noout -in certificate.pem. This command displays the exact expiration date of the SSL certificate. The system shows the date in UTC format.
How do I check SSL certificate details?
The OpenSSL command ‘openssl x509 -text -noout -in certificate.pem’ shows complete SSL certificate information. This includes the expiration date, issuer details, and certificate validity period. Users receive detailed certificate data in text format.
What happens if SSL certificate expires?
An expired SSL certificate causes browser security warnings for website visitors. Websites show “Not Secure” warnings in the address bar. Users lose trust in the website, and secure connections become unavailable.
How do I check if my SSL certificate is valid?
Users can verify SSL certificate validity through the command: openssl verify certificate.pem. The browser address bar shows a padlock icon for valid certificates. Certificate transparency logs also confirm certificate validity.
How often should SSL certificates be renewed?
SSL certificates need renewal before their expiration date, typically every 1-2 years. Organizations should track certificate expiration dates. IT teams should start the renewal process 30 days before expiration.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
