How to check TLS/SSL certificate expiration date from command-line

How do I check the TLS/SSL certificate expiration date from my Linux or Unix shell prompt? How can I find the TLS certificate expiry date from Linux or Unix shell scripts?

We can quickly solve TLS or SSL certificate issues by checking the certificate’s expiration from the command line. Let us see how to determine TLS or SSL certificate expiration date from a PEM encoded certificate file and live production website/domain name too when using Linux, *BSD, macOS or Unix-like system.
Tutorial details
Difficulty level Easy
Root privileges No
Requirements openssl command on Linux, macOS, *BSD or Unix-like OS
Est. reading time 3 minutes

How to check TLS/SSL certificate expiration date from command-line

To check the SSL certificate expiration date, we are going to use the OpenSSL command-line client. OpenSSL client provides tons of data, including validity dates, expiry dates, who issued the TLS/SSL certificate, and much more.

Check the expiration date of an SSL or TLS certificate

Open the Terminal application and then run the following command:
$ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
$ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates

Let us find out expiration date for, enter:

openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates

Sample outputs indicating dates and other information:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN =
verify return:1
notBefore=Sep 29 23:10:07 2020 GMT
notAfter=Dec 28 23:10:07 2020 GMT

Add the echo command to avoid pressing the CTRL+C. For instance:

## note echo added ##
echo | openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates

OpenSSL in action: Check the TLS/SSL certificate expiration date and time

Understanding openssl command options

The openssl is a very useful diagnostic tool for TLS and SSL servers. The openssl command-line options are as follows:

  1. s_client : The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.
  2. -servername $DOM : Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value.
  3. -connect $DOM:$PORT : This specifies the host ($DOM) and optional port ($PORT) to connect to.
  4. x509 : Run certificate display and signing utility.
  5. -noout : Prevents output of the encoded version of the certificate.
  6. -dates : Prints out the start and expiry dates of a TLS or SSL certificate.

Finding SSL certificate expiration date from a PEM encoded certificate file

The syntax is as follows query the certificate file for when the TLS/SSL certifation will expire
$ openssl x509 -enddate -noout -in {/path/to/my/my.pem}
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/

notAfter=Dec 29 23:48:42 2020 GMT

We can also check if the certificate expires within the given timeframe. For example, find out if the TLS/SSL certificate expires within next 7 days (604800 seconds):
$ openssl x509 -enddate -noout -in my.pem -checkend 604800
# Check if the TLS/SSL cert will expire in next 4 months #
openssl x509 -enddate -noout -in my.pem -checkend 10520000

Finding out whether the TLS/SSL certificate has expired or will expiery so within the next N days in seconds.

Shell script to determine SSL certificate expiration date from the crt file itself and alert sysadmin

Here is a sample shell script:

# Purpose: Alert sysadmin/developer about the TLS/SSL cert expiry date in advance
# Author: Vivek Gite {} under GPL v2.x+
# -------------------------------------------------------------------------------
# 7 days in seconds 
# Email settings 
_sub="$PEM will expire within $DAYS (7 days)."
$_openssl x509 -enddate -noout -in "$PEM"  -checkend "$DAYS" | grep -q 'Certificate will expire'
# Send email and push message to my mobile
if [ $? -eq 0 ]
	echo "${_sub}"
        mail -s "$_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($PEM) will expire soon on $HOSTNAME [$(date)]"
        # See #
        source ~/bin/
        push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null

See how to send push notifications to your phone from script. Of course, you need a working SMTP server to route email. At work we configured AWS SES with Postfix MTA to route all alert emails. See the following tutorials for more information about sending emails from the CLI:

Say hello to testssl and ssl-cert-check script

We can use testssl shell script, which is a free command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more. Download and run it as follows:
$ wget
$ chmod +x
$ --fast --parallel

Another option is to run ssl-cert-check script, which is a Bourne shell script that can be used to report on expiring SSL certificates. The script was designed to be run from cron and can e-mail warnings or log alerts through nagios.


In this quick tutorial, you learned how to find the TLS/SSL certification expiration date from a PEM encoded certificate file, including live DNS name. Expired TLS/SSL certificates can cause downtime and confusion for end-users. Hence, it is crucial to monitor the expiry date for our TLS/SSL certificates. See the following man pages:
$ man x509
$ man s_client

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 5 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
5 comments… add one
  • Petr Topiarz Dec 2, 2020 @ 16:38

    Perfect job, very good guide, thank you, that helped a lot! Petr

  • Dotan Cohen Dec 3, 2020 @ 19:50

    It took me half a dozen tries to get through the captcha, if I wasn’t already familiar with cyberciti I wouldn’t have even bothered. Then, after coming back from eating, I see that I have to do the capthas again! This time, I’m not joking, I had to do over ten captchas before it would let me in, and each captcha is actually two pages of buses, boats, trains, and motorcycles.

    So if you see that the new captcha is keeping out a higher percentage of “bots” than the old captcha, it’s not bots that its keeping out.

  • Tom Gentoo Mar 31, 2021 @ 8:08

    Great tutorial and always well written

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum