How To Check SSL Certificate Expiration with OpenSSL

(: August 21, 2019)

For Linux and Unix users, you may find a need to check the expiration of Local SSL Certificate files on your system. OpenSSL comes with an SSL/TLS client which can be used to establish a transparent connection to a server secured with an SSL certificate or by directly invoking certificate file.

This guide will discuss how to use openssl command to check the expiration of .p12 and start .crt certificate files.

Below example demonstrates how the openssl command is used:{text-align:left} img{margin:0 auto 0 0}
$ cat /etc/kubernetes/kubelet-ca.crt | openssl x509 -noout -enddate
notAfter=Aug  5 21:38:23 2029 GMT

The /etc/kubernetes/kubelet-ca.crt should be replaced with the correct path to your crt file.

For .p12 files, extract it first to a .pem file using the following command:

$ openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes
$ cat mycert.crt | openssl x509 -noout -enddate

One command for this is:

$ openssl pkcs12 -in mycert.p12 -nodes | openssl x509 -noout -enddate

For certificates already used in Live websites, you can run:

export SITE_URL=""
export SITE_SSL_PORT="443"
openssl s_client -connect ${SITE_URL}:${SITE_SSL_PORT} 
  -servername ${SITE_URL} 2> /dev/null |  openssl x509 -noout  -dates

Sample output:

notBefore=Aug 19 00:00:00 2019 GMT
notAfter=Feb 25 23:59:59 2020 GMT

The expiration date for certificate is =Feb 25 23:59:59 2020.

Other security related guides:

How To Configure Apache Web Page Authentication on Ubuntu / Debian

How To Install Libreswan on Ubuntu

Install Cisco AnyConnect on Ubuntu / Debian / Fedora

How To Install Metasploit Framework on Debian{text-align:left} img{margin:0 auto 0 0}