Wondering how to check OpenSSL Certificate Expiration? We can help you.

We can quickly solve TLS or SSL certificate issues by checking the certificate’s expiration from the command line.

As part of our Server Management Services, we assist our customers with several OpenSSL queries.

Today, let us see how our tech performs the same.

Check TLS/SSL certificate expiration date

To check the SSL certificate expiration date, our Support Techs recommend the OpenSSL command-line client.

Initially, we check the expiration date of an SSL or TLS certificate.

To do so, we open the terminal application and run:

$ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
$ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates

Then to find out the expiration date for www.bob.com, we enter:

DOM="www.bob.com"
PORT="443"
openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates

Our output will show dates and other information:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.bob.com
verify return:1
notBefore=Oct 29 23:10:07 2020 GMT
notAfter=Dec 28 23:10:07 2020 GMT

In addition, we add the echo command to avoid pressing the CTRL+C.

For instance:

DOM="www.bob"
PORT="443"
## note echo added ##
echo | openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates

• Find from a PEM encoded certificate file

We can find the SSL certificate expiration date from a PEM encoded certificate file.

We query the certificate file for when the TLS/SSL certification will expire:

$ openssl x509 -enddate -noout -in {/path/to/my/my.pem}
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.bob.fullchain.cer.ecc
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.bob.com.fullchain.cer

notAfter=Dec 29 23:48:42 2020 GMT

In addition, we can check if the certificate expires within the given timeframe.

For example,

Find if the TLS/SSL certificate expires within the next 7 days (604800 seconds)
$ openssl x509 -enddate -noout -in my.pem -checkend 604800
# Check if the TLS/SSL cert will expire in next 4 months #
openssl x509 -enddate -noout -in my.pem -checkend 10520000

• Shell script to determine SSL certificate expiration date

We can perform a shell script from the crt file itself and alert the sysadmin.

For example:

#!/bin/bash
# Purpose: Alert sysadmin/developer about the TLS/SSL cert expiry date in advance
# Author: Vivek Gite {https://www.bob/} under GPL v2.x+
# -------------------------------------------------------------------------------
PEM="/etc/nginx/ssl/letsencrypt/cyberciti.biz/cyberciti.biz.fullchain.cer"

# 7 days in seconds 
DAYS="604800" 

# Email settings 
_sub="$PEM will expire within $DAYS (7 days)."
_from="system-account@your-dommain"
_to="sysadmin@your-domain"
_openssl="/usr/bin/openssl"
$_openssl x509 -enddate -noout -in "$PEM" -checkend "$DAYS" | grep -q 'Certificate will expire'

# Send email and push message to my mobile
if [ $? -eq 0 ]
then
echo "${_sub}"
mail -s "$_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($PEM) will expire soon on $HOSTNAME [$(date)]"
# See https://www.bob/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
source ~/bin/cli_app.sh
push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null

• testssl and ssl-cert-check script

Testssl shell script is a free command-line tool.

It can check a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws, and more.

To perform this, we need to download and run it as follows:

$ wget https://testssl.sh/testssl.sh
$ chmod +x testssl.sh
$ testssl.sh --fast --parallel https://www.bob/

Another option is to run the ssl-cert-check script, a Bourne shell script, to report on expiring SSL certificates.

[Finding it hard? We are here for your assistance]

Conclusion

In short, we saw how our Support Techs check OpenSSL Certificate Expiration.