Home » Categories » Linux

OpenSSL: Check SSL Certificate Expiration Date and More

Article Number: 493 | Rating: Unrated | Last Updated: Mon, Feb 18, 2019 4:42 PM

From this article you will learn how to connect to a website over HTTPS and check its SSL certificate expiration date from the Linux command-line.

Besides of validity dates, i’ll show how to view who has issued an SSL certificate, whom is it issued to, its SHA1 fingerprint and the other useful information.

Linux users can easily check an SSL certificate from the Linux command-line, using the openssl utility, that can connect to a remote website over HTTPS, decode an SSL certificate and retrieve the all required data.

Cool Tip: If your SSL certificate expires soon – you will need to generate a new CSR! In Linux this can be easily done with a simple one-liner! Read more →

Check SSL Certificate Expiration Date

Run the following one-liner from the Linux command-line to check the SSL certificate expiration date, using the openssl:

$ echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates

Short explanation:

OptionDescription
-connect HOST:PORT The host and port to connect to.
-servername NAME The TLS SNI (Server Name Indication) extension (website).

Info: Run man s_client to see the all available options.

As an example, let’s use the openssl to check the SSL certificate expiration date of the https://www.shellhacks.com website:

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

OpenSSL: Check SSL Certificate – Additional Information

 

Besides of the validity dates, an SSL certificate contains other interesting information.

 

Each SSL certificate contains the information about who has issued the certificate, whom is it issued to, already mentioned validity dates, SSL certificate’s SHA1 fingerprint and some other data.

All these data can retrieved from a website’s SSL certificate using the openssl utility from the command-line in Linux.

Check who has issued the SSL certificate:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Check whom the SSL certificate is issued to:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.shellhacks.com

Check for what dates the SSL certificate is valid:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

Show the all above information about the SSL certificate, at once:

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
subject= /CN=www.shellhacks.com
notBefore=Mar 18 10:55:00 2017 GMT
notAfter=Jun 16 10:55:00 2017 GMT

Cool Tip: You can also decode an SSL certificate file if you have it locally, using the openssl utility from the Linux command-line! Read more →

Show the SHA1 fingerprint of the SSL certificate:

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=26:F8:D5:E4:3E:7A:7B:7E:72:20:15:77:FE:C7:89:E7:E4:8A:15:CF

Extract the all information from the SSL certificate (decoded):

$ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:86:f4:63:3d:34:50:a8:47:cc:f7:99:10:1f:79:1c:21:c8
    Signature Algorithm: sha256WithRSAEncryption
[...]

Show the SSL certificate itself (encoded):

$ echo | openssl s_client -servername shellhacks.com -connect shellhacks.com:443 2>/dev/null | openssl x509
-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgISA4b0Yz00UKhHzPeZEB95HCHIMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMTgxMDU1MDBaFw0x
[...]

Summary table:

OptionDescription
-text Prints out the certificate in text form.
-noout Prevents output of the encoded version of the request.
-subject Outputs the subject name.
-issuer Outputs the issuer name.
-dates Prints out the start and expiry dates of a certificate.
-fingerprint Prints out the digest of the DER encoded version of the whole certificate.

Info: Run man x509 to see the all available options.
Posted - Mon, Feb 18, 2019 4:42 PM. This article has been viewed 6647 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
HowTo: Find Out Hard Disk Specs / Details on Linux
Viewed 3313 times since Mon, Jan 28, 2019
Linux 20 Netstat Commands for Linux Network Management
Viewed 9531 times since Mon, Sep 21, 2020
RHEL: How to change a USER/GROUP UID/GID and all owned files
Viewed 21367 times since Sat, Jun 2, 2018
Linux PAM configuration that allows or deny login via the sshd server
Viewed 1827 times since Wed, Oct 3, 2018
Deskshare TLS over Stunnel
Viewed 2692 times since Fri, Sep 28, 2018
Inxi – A Powerful Feature-Rich Commandline System Information Tool for Linux
Viewed 18838 times since Sat, Jun 2, 2018
ZFS: Create a new zfs filesystem
Viewed 2503 times since Sun, Jun 3, 2018
How do I add ethtool settings to a network device permanently?
Viewed 6479 times since Mon, May 21, 2018
Understanding System auditing with auditd
Viewed 9604 times since Fri, Apr 5, 2019
How To Set Up an SSL Tunnel Using Stunnel on Ubuntu
Viewed 3149 times since Fri, Sep 28, 2018