How to check TLS/SSL certificate expiration date from command-line

How do I check the TLS/SSL certificate expiration date from my Linux or Unix shell prompt? How can I find the TLS certificate expiry date from Linux or Unix shell scripts?

We can quickly solve TLS or SSL certificate issues by checking the certificate’s expiration from the command line. Let us see how to determine TLS or SSL certificate expiration date from a PEM encoded certificate file and live production website/domain name too when using Linux, *BSD, macOS or Unix-like system.

How to check TLS/SSL certificate expiration date from command-line

To check the SSL certificate expiration date, we are going to use the OpenSSL command-line client. OpenSSL client provides tons of data, including validity dates, expiry dates, who issued the TLS/SSL certificate, and much more.

Check the expiration date of an SSL or TLS certificate

Open the Terminal application and then run the following command:
$ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
$ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates

Let us find out expiration date for www.nixcraft.com, enter:

DOM="www.nixcraft.com"
PORT="443"
openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates

Sample outputs indicating dates and other information:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.nixcraft.com
verify return:1
notBefore=Sep 29 23:10:07 2020 GMT
notAfter=Dec 28 23:10:07 2020 GMT

Add the echo command to avoid pressing the CTRL+C. For instance:

DOM="www.cyberciti.biz"
PORT="443"
## note echo added ##
echo | openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates

OpenSSL in action: Check the TLS/SSL certificate expiration date and time

Understanding openssl command options

The openssl is a very useful diagnostic tool for TLS and SSL servers. The openssl command-line options are as follows:

  1. s_client : The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.
  2. -servername $DOM : Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value.
  3. -connect $DOM:$PORT : This specifies the host ($DOM) and optional port ($PORT) to connect to.
  4. x509 : Run certificate display and signing utility.
  5. -noout : Prevents output of the encoded version of the certificate.
  6. -dates : Prints out the start and expiry dates of a TLS or SSL certificate.

Finding SSL certificate expiration date from a PEM encoded certificate file

The syntax is as follows query the certificate file for when the TLS/SSL certifation will expire
$ openssl x509 -enddate -noout -in {/path/to/my/my.pem}
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.cyberciti.biz.fullchain.cer.ecc
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.nixcraft.com.fullchain.cer

notAfter=Dec 29 23:48:42 2020 GMT

We can also check if the certificate expires within the given timeframe. For example, find out if the TLS/SSL certificate expires within next 7 days (604800 seconds):
$ openssl x509 -enddate -noout -in my.pem -checkend 604800
# Check if the TLS/SSL cert will expire in next 4 months #
openssl x509 -enddate -noout -in my.pem -checkend 10520000

Finding out whether the TLS/SSL certificate has expired or will expiery so within the next N days in seconds.

Shell script to determine SSL certificate expiration date from the crt file itself and alert sysadmin

Here is a sample shell script:

#!/bin/bash
# Purpose: Alert sysadmin/developer about the TLS/SSL cert expiry date in advance
# Author: Vivek Gite {https://www.cyberciti.biz/} under GPL v2.x+
# -------------------------------------------------------------------------------
PEM="/etc/nginx/ssl/letsencrypt/cyberciti.biz/cyberciti.biz.fullchain.cer"
 
# 7 days in seconds 
DAYS="604800" 
 
# Email settings 
_sub="$PEM will expire within $DAYS (7 days)."
_from="system-account@your-dommain"
_to="sysadmin@your-domain"
_openssl="/usr/bin/openssl"
$_openssl x509 -enddate -noout -in "$PEM"  -checkend "$DAYS" | grep -q 'Certificate will expire'
 
# Send email and push message to my mobile
if [ $? -eq 0 ]
then
	echo "${_sub}"
        mail -s "$_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($PEM) will expire soon on $HOSTNAME [$(date)]"
        # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
        source ~/bin/cli_app.sh
        push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
fi

See how to send push notifications to your phone from script. Of course, you need a working SMTP server to route email. At work we configured AWS SES with Postfix MTA to route all alert emails. See the following tutorials for more information about sending emails from the CLI:

Say hello to testssl and ssl-cert-check script

We can use testssl shell script, which is a free command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more. Download and run it as follows:
$ wget https://testssl.sh/testssl.sh
$ chmod +x testssl.sh
$ testssl.sh --fast --parallel https://www.cyberciti.biz/

Another option is to run ssl-cert-check script, which is a Bourne shell script that can be used to report on expiring SSL certificates. The script was designed to be run from cron and can e-mail warnings or log alerts through nagios.

Conclusion

In this quick tutorial, you learned how to find the TLS/SSL certification expiration date from a PEM encoded certificate file, including live DNS name. Expired TLS/SSL certificates can cause downtime and confusion for end-users. Hence, it is crucial to monitor the expiry date for our TLS/SSL certificates. See the following man pages:
$ man x509
$ man s_client

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.