An SSL certificate helps to secure the communication between a client (such as a web browser) and a server (such as a website).
If the certificate has expired, it can no longer be trusted to secure this communication, and an attacker may be able to intercept and view sensitive information being transmitted between the client and server.
We will share 4 ways to check the SSL Certificate Expiration date.
Get Your Free Linux training!
Join our free Linux training and discover the power of open-source technology. Enhance your skills and boost your career! Learn Linux for Free!Table of Contents
Methods to check SSL Certificate Expiration date
- using web browser. In most browsers, you can view the SSL certificate by clicking on the padlock icon in the address bar. This will open a new window that displays information about the certificate, including the issuer, expiration date, and more.
- using openssl x509 command. The openssl x509 command is a multi-purpose certificate utility. It can be used to display certificate information, convert certificates to various forms.
- using openssl s_client command. The openssl s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers. It checks whether the certificate is valid, trusted, and complete.
- using online Certificate Decoder
- using an online tool
what will happen after SSL certificate expires?
If an SSL certificate expires, the website will not be able to establish a secure connection with browsers. This can cause visitors to see security warnings and potentially leave the website.
It is important to renew SSL certificates before they expire in order to avoid these problems.
check SSL certificate expiration date from a certificate file
Openssl command is a very powerful tool to check SSL certificate expiration date. Open the terminal and run the following command. You will get the expiration date from the command output.
openssl x509 -enddate -noout -in file.cer
Example: openssl x509 -enddate -noout -in hydssl.cer
notAfter=Dec 12 16:56:15 2029 GMT
To see a list of all of the options that the openssl x509 command supports, type “openssl x509 -h” into your terminal. This will display a list of all of the available options, along with a brief description of each one.
- Display the contents of a certificate: openssl x509 -in cert.pem -noout -text
- Display the certificate serial number: openssl x509 -in cert.pem -noout -serial
- Display the certificate subject name: openssl x509 -in cert.pem -noout -subject
- Display the certificate subject name in RFC2253 form: openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
- Display the certificate subject name in oneline form on a terminal supporting UTF8: openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
- Display the certificate SHA1 fingerprint: openssl x509 -sha1 -in cert.pem -noout -fingerprint
check SSL certificate expiration date from a server URL
The openssl s_client command is used to establish a SSL/TLS connection with a remote server. It can be used to verify the server’s certificate expiration date, or to request a specific cipher suite.
openssl s_client -servername example.com -connect example.com 2>/dev/null | openssl x509 -noout -dates
Example:
openssl s_client -servername google.com -connect google.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 16 01:37:02 2021 GMT
notAfter=Nov 8 01:37:01 2021 GMT
The openssl is a very useful diagnostic tool to check SSL certificate for TLS and SSL servers. Here are more openssl command-line options.
- s_client : The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.
- -servername $DOM : Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value.
- -connect $DOM:$PORT : This specifies the host ($DOM) and optional port ($PORT) to connect to.
- x509 : Run certificate display and signing utility.
- -noout : Prevents output of the encoded version of the certificate.
- -dates : Prints out the start and expiry dates of a TLS or SSL certificate.
check SSL certificate expiration date from online Certificate Decoder
The SSL Certificate Decoder tool is another way to get the expiration date of SSL certificate. It instantly decodes any SSL Certificate-no matter what format: PEM, DER, or PFX encoded SSL Certificates.
It works quickly and accurately to strip all the information from our certificate and present it in an easy-to-understand way.
To use the certificate decoder tool, go to page thesslstore and paste our certificate into the field and let the certificate decoder do the rest.
Example:
- Common Name : HydrantID Server CA O1
- Organization : IdenTrust
- Organization Unit : HydrantID Trusted Certificate Service
- Country : US
- Valid From : Dec 12,2019
- Valid To : Dec 12,2029
- Issuer : IdenTrust
- Serial Number : 85078034808230776
check SSL certificate expiration date from online tool
There are many online tools to check the SSL certificate info. Go to page ssllabs and input the domain name to check it.
All the info in the certificate will be displayed including the expiration date. This will also display the expiration date for all the certificates.
Example:
- The certificate expires November 6, 2021 (70 days from today)
- Subject www.howtouselinux.com Valid from 08/Aug/2021 to 06/Nov/2021
- Subject R3 Valid from 04/Sep/2020 to 15/Sep/2025
- Subject ISRG Root X1Valid from 20/Jan/2021 to 30/Sep/2024
how to renew an SSL certificate
First, you will need to generate a new CSR (Certificate Signing Request). You can do this using a tool like OpenSSL. Once you have generated the CSR, you will need to submit it to your CA (Certificate Authority).
Once the CA has issued your new certificate, you will need to install it on your web server. If you are not familiar with this, you may want to ask help from here thesslstore.com. Once the new certificate is installed, you should be all set! Your website will now be able to establish secure connections with browsers.
Related:
- Exploring SSL Certificate Chain with Examples
- Understanding X509 Certificate with Openssl Command
- OpenSSL Command to Generate View Check Certificate
- Converting CER CRT DER PEM PFX Certificate with Openssl
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSH Key RSA DSA ECDSA ED25519
- Understanding server certificates with Examples
Nghui
Saturday 25th of November 2023
Great. openssl command works for me. Thanks.
Fen Fenw
Tuesday 7th of November 2023
It is great to see this article. I got my problem fixed. Thanks.
Daniel
Monday 6th of November 2023
This was a great read on checking SSL certificate expiration in Linux. I am going to write a shell script to and add it to cron jobs for monitoring purpose.
Hier Guert
Monday 6th of November 2023
In my journey as a System Administrator, managing SSL certificates has always been a critical task.
This article's detailed guide on how to check SSL certificate expiration using OpenSSL commands on a Linux system has been a tremendous help.
6 Underrated Linux Commands That Deserve More Attention - howtouselinux
Tuesday 24th of October 2023
[…] is particularly useful for checking certificate expiration dates and conducting similar […]