OpenSSL: Check SSL Certificate Expiration Date and More

From this article you will learn how to connect to a website over HTTPS and check its SSL certificate expiration date from the Linux command-line.

Besides of validity dates, i’ll show how to view who has issued an SSL certificate, whom is it issued to, its SHA1 fingerprint and the other useful information.

Linux users can easily check an SSL certificate from the Linux command-line, using the openssl utility, that can connect to a remote website over HTTPS, decode an SSL certificate and retrieve the all required data.

Cool Tip: If your SSL certificate expires soon – you will need to generate a new CSR! In Linux this can be easily done with a simple one-liner! Read more →

Check SSL Certificate Expiration Date

Run the following one-liner from the Linux command-line to check the SSL certificate expiration date, using the openssl:

$ echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates

Short explanation:

OptionDescription
-connect HOST:PORT The host and port to connect to.
-servername NAME The TLS SNI (Server Name Indication) extension (website).

Info: Run man s_client to see the all available options.

As an example, let’s use the openssl to check the SSL certificate expiration date of the https://www.shellhacks.com website:

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

OpenSSL: Check SSL Certificate – Additional Information

 

Besides of the validity dates, an SSL certificate contains other interesting information.

 

Each SSL certificate contains the information about who has issued the certificate, whom is it issued to, already mentioned validity dates, SSL certificate’s SHA1 fingerprint and some other data.

All these data can retrieved from a website’s SSL certificate using the openssl utility from the command-line in Linux.

Check who has issued the SSL certificate:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Check whom the SSL certificate is issued to:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.shellhacks.com

Check for what dates the SSL certificate is valid:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

Show the all above information about the SSL certificate, at once:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
subject= /CN=www.shellhacks.com
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

Cool Tip: You can also decode an SSL certificate file if you have it locally, using the openssl utility from the Linux command-line! Read more →

Show the SHA1 fingerprint of the SSL certificate:

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=26:F8:D5:E4:3E:7A:7B:7E:72:20:15:77:FE:C7:89:E7:E4:8A:15:CF

Extract the all information from the SSL certificate (decoded):

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:86:f4:63:3d:34:50:a8:47:cc:f7:99:10:1f:79:1c:21:c8
    Signature Algorithm: sha256WithRSAEncryption
[...]

Show the SSL certificate itself (encoded):

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509
-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgISA4b0Yz00UKhHzPeZEB95HCHIMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMTgxMDU1MDBaFw0x
[...]

Summary table:

OptionDescription
-text Prints out the certificate in text form.
-noout Prevents output of the encoded version of the request.
-subject Outputs the subject name.
-issuer Outputs the issuer name.
-dates Prints out the start and expiry dates of a certificate.
-fingerprint Prints out the digest of the DER encoded version of the whole certificate.

Info: Run man x509 to see the all available options.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
12 Tcpdump Commands – A Network Sniffer Tool
Viewed 8538 times since Fri, Jul 27, 2018
RHCS6: ’fencing’ basics
Viewed 1966 times since Sun, Jun 3, 2018
Exclude multiple files and directories with rsync
Viewed 2000 times since Wed, Oct 31, 2018
Df command in Linux not updating actual diskspace, wrong data
Viewed 2532 times since Wed, May 30, 2018
Cron YUM How to use yum-cron to automatically update RHEL/CentOS Linux
Viewed 2158 times since Fri, Oct 26, 2018
How to create a Systemd service in Linux
Viewed 2372 times since Mon, Dec 7, 2020
RHEL: Displaying/setting kernel parameters - ’sysctl’
Viewed 2563 times since Sat, Jun 2, 2018
stunnel How To Set Up an SSL Tunnel Using Stunnel on Ubuntu
Viewed 1317 times since Sun, Dec 6, 2020
Creating SWAP partition using FDISK & FALLOCATE commands
Viewed 2661 times since Thu, Jan 16, 2020
LVM: Extend an existing Logical Volume / Filesystem
Viewed 2128 times since Sat, Jun 2, 2018