Home » Categories » Linux

OpenSSL: Check SSL Certificate Expiration Date and More

Article Number: 493 | Rating: Unrated | Last Updated: Mon, Feb 18, 2019 4:42 PM

From this article you will learn how to connect to a website over HTTPS and check its SSL certificate expiration date from the Linux command-line.

Besides of validity dates, i’ll show how to view who has issued an SSL certificate, whom is it issued to, its SHA1 fingerprint and the other useful information.

Linux users can easily check an SSL certificate from the Linux command-line, using the openssl utility, that can connect to a remote website over HTTPS, decode an SSL certificate and retrieve the all required data.

Cool Tip: If your SSL certificate expires soon – you will need to generate a new CSR! In Linux this can be easily done with a simple one-liner! Read more →

Check SSL Certificate Expiration Date

Run the following one-liner from the Linux command-line to check the SSL certificate expiration date, using the openssl:

$ echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates

Short explanation:

OptionDescription
-connect HOST:PORT The host and port to connect to.
-servername NAME The TLS SNI (Server Name Indication) extension (website).

Info: Run man s_client to see the all available options.

As an example, let’s use the openssl to check the SSL certificate expiration date of the https://www.shellhacks.com website:

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

OpenSSL: Check SSL Certificate – Additional Information

 

Besides of the validity dates, an SSL certificate contains other interesting information.

 

Each SSL certificate contains the information about who has issued the certificate, whom is it issued to, already mentioned validity dates, SSL certificate’s SHA1 fingerprint and some other data.

All these data can retrieved from a website’s SSL certificate using the openssl utility from the command-line in Linux.

Check who has issued the SSL certificate:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Check whom the SSL certificate is issued to:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.shellhacks.com

Check for what dates the SSL certificate is valid:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

Show the all above information about the SSL certificate, at once:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
subject= /CN=www.shellhacks.com
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

Cool Tip: You can also decode an SSL certificate file if you have it locally, using the openssl utility from the Linux command-line! Read more →

Show the SHA1 fingerprint of the SSL certificate:

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=26:F8:D5:E4:3E:7A:7B:7E:72:20:15:77:FE:C7:89:E7:E4:8A:15:CF

Extract the all information from the SSL certificate (decoded):

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:86:f4:63:3d:34:50:a8:47:cc:f7:99:10:1f:79:1c:21:c8
    Signature Algorithm: sha256WithRSAEncryption
[...]

Show the SSL certificate itself (encoded):

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509
-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgISA4b0Yz00UKhHzPeZEB95HCHIMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMTgxMDU1MDBaFw0x
[...]

Summary table:

OptionDescription
-text Prints out the certificate in text form.
-noout Prevents output of the encoded version of the request.
-subject Outputs the subject name.
-issuer Outputs the issuer name.
-dates Prints out the start and expiry dates of a certificate.
-fingerprint Prints out the digest of the DER encoded version of the whole certificate.

Info: Run man x509 to see the all available options.
Posted - Mon, Feb 18, 2019 4:42 PM. This article has been viewed 6562 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
ZFS: Verify/change properties of a zfs filesystem
Viewed 2443 times since Sun, Jun 3, 2018
RHEL: Crash kernel dumps configuration and analysis on RHEL 5
Viewed 7020 times since Sat, Jun 2, 2018
How to create a Systemd service in Linux
Viewed 2712 times since Mon, Dec 7, 2020
RHEL: Displaying/setting kernel parameters - ’sysctl’
Viewed 2818 times since Sat, Jun 2, 2018
Installing and Configuring an OCFS2 Clustered File System
Viewed 5700 times since Sat, Jun 2, 2018
RHEL: Crash kernel dumps configuration and analysis on RHEL 6
Viewed 4566 times since Sat, Jun 2, 2018
30 Handy Bash Shell Aliases For Linux / Unix / MacOS
Viewed 4447 times since Thu, Feb 11, 2021
ZFS: Remove an existing zfs filesystem
Viewed 2009 times since Sun, Jun 3, 2018
RHEL: Handling SCSI disks
Viewed 12224 times since Sun, May 27, 2018
How log rotation works with logrotate
Viewed 4671 times since Fri, Nov 30, 2018