OpenSSL's x509 command lets you inspect, verify, and troubleshoot SSL/TLS certificates directly from the terminal. Run openssl x509 -in certificate.crt -text -noout to display a certificate's full details - issuer, validity dates, subject, public key, and extensions - in human-readable format. This single command covers the majority of day-to-day certificate inspection tasks without requiring any additional tools.
What is OpenSSL? OpenSSL is an open-source cryptographic toolkit used to implement SSL and TLS protocols. Its x509 subcommand parses and displays certificate information stored in PEM or DER format, making it the standard utility for certificate verification on Linux, macOS, and Unix-based systems.
According to Google's HTTPS Transparency Report for June 2025, 95% of web traffic across Google's own platforms is now encrypted - which makes correct certificate configuration, and the ability to verify it quickly, more operationally important than ever.
How Do You Check a Certificate Using OpenSSL?
The primary command for inspecting a local certificate file is:
openssl x509 -in certificate.crt -text -noout
The -text flag outputs all certificate fields in human-readable format. The -noout flag suppresses the raw Base64 output so you only see the parsed data. For PEM-format certificates (the most common format on Linux servers), this command works immediately with no additional flags.
For DER-format certificates, add -inform DER to the command:
openssl x509 -in certificate.der -inform DER -text -noout
This outputs the certificate version, serial number, signature algorithm, issuer name, subject name, validity period, public key details, and all X.509 v3 extensions.
What Information Does the x509 Command Display?
The openssl x509 -text command displays every field stored in the certificate. Here is what each field means:
| Certificate Field | Description | Example Value |
| Issuer | The certificate authority that signed the certificate | CN=Let's Encrypt Authority |
| Subject | The entity the certificate was issued to | CN=example.com |
| Valid From (notBefore) | The date the certificate becomes active | Jan 15 2025 |
| Valid Until (notAfter) | The date the certificate expires | Apr 15 2025 |
| Serial Number | Unique identifier assigned by the CA | 4A:3B:2C:1D |
| Public Key Algorithm | Encryption algorithm and key size | RSA, 2048 bits |
| Subject Alternative Names | All domains covered by the certificate | DNS:example.com, DNS:www.example.com |
The Extensions section is worth paying close attention to. Subject Alternative Names (SANs) list every domain the certificate protects, and the Key Usage extension defines what the certificate is permitted to do - server authentication, client authentication, code signing, and so on.
How Do You Check Certificate Expiration Dates?
To display only the validity dates without the full certificate output, use the -dates flag:
openssl x509 -in certificate.crt -noout -dates
This returns two lines:
- notBefore: Certificate activation date
- notAfter: Certificate expiration date
For automated monitoring and scripting, the -checkend flag is more practical. It accepts a number of seconds and exits with code 0 if the certificate remains valid for that duration, or code 1 if it will expire within that window:
openssl x509 -in certificate.crt -noout -checkend 86400
Use 86400 for a one-day check, 604800 for one week, or 2592000 for 30 days. This flag integrates cleanly into shell scripts and cron jobs for automated expiry alerting.
How Do You Verify a Certificate and Private Key Match?
A mismatched certificate and private key causes immediate deployment failures - the server will refuse to start or throw a TLS handshake error. To confirm they match, generate the MD5 hash of the modulus from both files and compare the output:
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in private.key | openssl md5
Identical hash values confirm the certificate and private key are a matched pair. Different hashes mean the files do not correspond - the most common cause is generating a new CSR without keeping track of which key file was used.
Run this check before every deployment to a production server. It takes under a second and eliminates the most common class of post-deployment SSL errors.
How Do You Check Certificates on Remote Servers?
The s_client subcommand connects to a live server and retrieves its certificate chain over the network. This is the correct approach when you do not have the certificate file locally:
openssl s_client -connect example.com:443 -showcerts
For servers using SNI (Server Name Indication) - where multiple domains share a single IP address - add -servername to ensure you receive the correct certificate:
openssl s_client -connect example.com:443 -servername example.com -showcerts
The output displays the full chain: the server certificate, any intermediate certificates, and the root. According to Qualys SSL Pulse's June 2025 report, 28.7% of the top 150,000 websites fail SSL best practices - with incomplete certificate chains being one of the most common configuration errors. Checking the full chain with -showcerts is the fastest way to confirm all intermediates are present.
Press Ctrl+C to exit the connection once you have reviewed the output.
What Are the Common Certificate Verification Commands?
Beyond basic inspection, OpenSSL provides targeted flags for specific verification tasks. Each command below is self-contained and can be run independently.
Check certificate purpose (confirms what the certificate is authorized to do):
openssl x509 -in certificate.crt -noout -purpose
Verify certificate against a CA bundle (confirms the full trust chain):
openssl verify -CAfile ca-bundle.crt certificate.crt
Display the certificate fingerprint (useful for comparison and pinning):
openssl x509 -in certificate.crt -noout -fingerprint
Show Subject Alternative Names (lists every domain the certificate covers):
openssl x509 -in certificate.crt -noout -ext subjectAltName
The verify command against a CA bundle is particularly useful when deploying certificates to servers that serve internal clients - it confirms the chain validates correctly against your organization's trusted root store, not just the public internet's.
How Do You Convert Certificate Formats?
Different platforms require different certificate formats. OpenSSL converts between the four common formats without any third-party tools. For a complete guide to certificate file formats and extensions, here is the full reference:
| Format | Extension | Typical Use Case |
| PEM | .pem, .crt | Linux/Apache servers, most web servers |
| DER | .der, .cer | Windows systems, Java applications |
| PKCS#12 | .p12, .pfx | Windows IIS, Outlook email certificates |
| PKCS#7 | .p7b, .p7c | Certificate chains, Windows Server |
PEM to DER:
openssl x509 -in certificate.pem -outform DER -out certificate.der
DER to PEM:
openssl x509 -in certificate.der -inform DER -out certificate.pem
PEM to PKCS#12 (bundles certificate and private key into a password-protected archive):
openssl pkcs12 -export -in certificate.pem -inkey private.key -out certificate.p12
PEM files store Base64-encoded data between BEGIN CERTIFICATE and END CERTIFICATE markers. DER files store the same data in binary form. PKCS#12 archives combine the certificate and private key into a single file, which is why Windows IIS and mail clients prefer them.
What Troubleshooting Commands Help With Certificate Issues?
When a certificate fails validation or a TLS connection refuses to establish, these diagnostic commands pinpoint the problem.
Test cipher suite compatibility (confirms the server accepts a specific cipher):
openssl s_client -connect example.com:443 -cipher 'AES256-SHA'
Verify certificate chain order (catches incorrectly ordered intermediate certificates):
openssl crl2pkcs7 -nocrl -certfile certificate-chain.pem | openssl pkcs7 -print_certs -noout
Check certificate validity window (returns exit code 0 if valid, 1 if expiring within the period):
openssl x509 -in certificate.crt -noout -checkend 86400
Missing or out-of-order intermediate certificates are the most frequent cause of certificate warnings in mobile browsers, even when desktop browsers show no error. The chain order command above reveals whether intermediates are present and arranged correctly.
Cipher testing catches mismatches between what a server offers and what a client requires - a common issue when migrating older applications to servers that have disabled weak ciphers. Mastering these OpenSSL commands gives you direct diagnostic control over every layer of an SSL/TLS configuration.
Frequently Asked Questions
What does the openssl x509 -text output actually show?
The -text flag outputs every field stored in the certificate: version number, serial number, signature algorithm, issuer name, subject name, validity dates (notBefore and notAfter), public key type and size, and all X.509 v3 extensions including Subject Alternative Names, Key Usage, and Basic Constraints. The -noout flag is typically added alongside to suppress the raw Base64 encoding, leaving only the human-readable output.
How do I check if an OpenSSL certificate is expired or about to expire?
Run openssl x509 -in certificate.crt -noout -dates to see the exact expiration date. For scripting and automation, use openssl x509 -in certificate.crt -noout -checkend 86400 - substitute 86400 (seconds) with the window you want to test, such as 604800 for seven days. The command exits with code 0 if valid and code 1 if the certificate will expire within that period, making it easy to trigger alerts in shell scripts.
What is the difference between openssl verify and openssl x509?
The openssl x509 command reads and displays the certificate's contents - it tells you what is in the certificate. The openssl verify command validates the certificate against a CA bundle or trust store - it tells you whether the certificate chain is trusted and correctly formed. Use x509 for inspection and verify for trust-chain validation.
Can I check a certificate with OpenSSL without having the private key?
Yes. The openssl x509, openssl s_client, and openssl verify commands all work on the certificate file alone - the private key is not required for inspection or trust-chain validation. You only need the private key when verifying that a certificate and key are a matched pair, which uses the modulus comparison method with openssl rsa.
How do I use the -checkend flag and what does the exit code mean?
Run openssl x509 -in certificate.crt -noout -checkend N where N is the number of seconds from now. If the certificate will still be valid N seconds from now, the command exits with code 0 and prints "Certificate will not expire." If it will expire within that window, it exits with code 1 and prints "Certificate will expire." This makes it suitable for use in monitoring scripts, cron jobs, and CI/CD pipelines.
How do I check the full certificate chain on a remote server?
Use openssl s_client -connect example.com:443 -showcerts. The -showcerts flag outputs every certificate in the chain, not just the end-entity certificate. For SNI-based servers, add -servername example.com to ensure the correct virtual host certificate is returned. Review the output for any gaps between the server certificate and the root - missing intermediates are the most common chain error.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
