Need help?

Our experts have had an average response time of 11.7 minutes in August 2021 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

Check OpenSSL Certificate Expiration

by | Nov 3, 2021

Wondering how to check OpenSSL Certificate Expiration? We can help you.

We can quickly solve TLS or SSL certificate issues by checking the certificate’s expiration from the command line.

As part of our Server Management Services, we assist our customers with several OpenSSL queries.

Today, let us see how our tech performs the same.


Check TLS/SSL certificate expiration date

To check the SSL certificate expiration date, our Support Techs recommend the OpenSSL command-line client.

Initially, we check the expiration date of an SSL or TLS certificate.

To do so, we open the terminal application and run:

$ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
$ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates

Then to find out the expiration date for, we enter:

openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates

Our output will show dates and other information:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN =
verify return:1
notBefore=Oct 29 23:10:07 2020 GMT
notAfter=Dec 28 23:10:07 2020 GMT

In addition, we add the echo command to avoid pressing the CTRL+C.

For instance:

## note echo added ##
echo | openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates
  • Find from a PEM encoded certificate file

We can find the SSL certificate expiration date from a PEM encoded certificate file.

We query the certificate file for when the TLS/SSL certification will expire:

$ openssl x509 -enddate -noout -in {/path/to/my/my.pem}
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.bob.fullchain.cer.ecc
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/

notAfter=Dec 29 23:48:42 2020 GMT

In addition, we can check if the certificate expires within the given timeframe.

For example,

Find if the TLS/SSL certificate expires within the next 7 days (604800 seconds)
$ openssl x509 -enddate -noout -in my.pem -checkend 604800
# Check if the TLS/SSL cert will expire in next 4 months #
openssl x509 -enddate -noout -in my.pem -checkend 10520000
  • Shell script to determine SSL certificate expiration date

We can perform a shell script from the crt file itself and alert the sysadmin.

For example:

# Purpose: Alert sysadmin/developer about the TLS/SSL cert expiry date in advance
# Author: Vivek Gite {https://www.bob/} under GPL v2.x+
# -------------------------------------------------------------------------------

# 7 days in seconds 

# Email settings 
_sub="$PEM will expire within $DAYS (7 days)."
_from="[email protected]"
_to="[email protected]"
$_openssl x509 -enddate -noout -in "$PEM" -checkend "$DAYS" | grep -q 'Certificate will expire'

# Send email and push message to my mobile
if [ $? -eq 0 ]
echo "${_sub}"
mail -s "$_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($PEM) will expire soon on $HOSTNAME [$(date)]"
# See https://www.bob/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
source ~/bin/
push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
  • testssl and ssl-cert-check script

Testssl shell script is a free command-line tool.

It can check a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws, and more.

To perform this, we need to download and run it as follows:

$ wget
$ chmod +x
$ --fast --parallel https://www.bob/

Another option is to run the ssl-cert-check script, a Bourne shell script, to report on expiring SSL certificates.

[Finding it hard? We are here for your assistance]



In short, we saw how our Support Techs check OpenSSL Certificate Expiration.


Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.



Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center


Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]


Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid


Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie


These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.