How to determine SSL cert expiration date from a PEM encoded certificate

Question

If I have the actual file and a Bash shell in Mac or Linux  how can I query the cert file for when it will expire   Not a web site  but actually the certificate file itself  assuming I have the csr  key  pem and chain files

User · Answer

I have made a bash script related to the same to check if the certificate is expired or not. You can use the same if required.

Script

https://github.com/zeeshanjamal16/usefulScripts/blob/master/sslCertificateExpireCheck.sh

ReadMe

https://github.com/zeeshanjamal16/usefulScripts/blob/master/README.md

User · Answer

Here s my bash command line to list multiple certificates in order of their expiration  most recently expiring first   for pem in  etc ssl certs   pem  do     printf   s   s n             date --date    openssl x509 -enddate -noout -in   pem  cut -d  -f 2   --iso-8601             pem  done   sort   Sample output   2015-12-16   etc ssl certs Staat der Nederlanden Root CA pem 2016-03-22   etc ssl certs CA Disig pem 2016-08-14   etc ssl certs EBG Elektronik Sertifika Hizmet S pem

User · Answer

Same as accepted answer  But note that it works even with  crt file and not just  pem file  just in case if you are not able to find  pem file location   openssl x509 -enddate -noout -in e71c8ea7fa97ad6c crt   Result   notAfter Mar 29 06 15 00 2020 GMT

User · Answer

If  for some reason  you want to use a GUI application in Linux  use gcr-viewer  in most distributions it is installed by the package gcr  otherwise in package gcr-viewer    gcr-viewer file pem   or gcr-viewer file crt

User · Answer

Here s a bash function which checks all your servers  assuming you re using DNS round-robin  Note that this requires GNU date and won t work on Mac OS  function check certs        if   -z   1      then     echo  domain name missing      exit 1   fi   name   1    shift    now epoch    date   s      dig  noall  answer  name   while read         ip    do     echo -n   ip       expiry date    echo   openssl s client -showcerts -servername  name -connect  ip 443 2 gt  dev null   openssl x509 -inform pem -noout -enddate   cut -d     -f 2       echo -n    expiry date       expiry epoch    date -d   expiry date    s       expiry days        expiry epoch -  now epoch     3600   24          echo       expiry days days    done     Output example     check certs stackoverflow com 151 101 1 69  Aug 14 12 00 00 2019 GMT    603 days 151 101 65 69  Aug 14 12 00 00 2019 GMT    603 days 151 101 129 69  Aug 14 12 00 00 2019 GMT    603 days 151 101 193 69  Aug 14 12 00 00 2019 GMT    603 days

User · Answer

If you just want to know whether the certificate has expired  or will do so within the next N seconds   the -checkend  lt seconds gt  option to openssl x509 will tell you  if openssl x509 -checkend 86400 -noout -in file pem then   echo  quot Certificate is good for another day  quot  else   echo  quot Certificate has expired or will do so within 24 hours  quot    echo  quot  or is invalid not found  quot  fi  This saves having to do date time comparisons yourself  openssl will return an exit code of 0  zero  if the certificate has not expired and will not do so for the next 86400 seconds  in the example above  If the certificate will have expired or has already done so - or some other error like an invalid nonexistent file - the return code is 1   Of course  it assumes the time date is set correctly  Be aware that older versions of openssl have a bug which means if the time specified in checkend is too large  0 will always be returned  https   github com openssl openssl issues 6180

User · Answer

For MAC OSX  El Capitan   This modification of Nicholas  example worked for me   for pem in  path to certs   pem  do     printf   s   s n               date -jf   b  e  H  M  S  Y  Z     openssl x509 -enddate -noout -in   pem  cut -d  -f 2      Y- m- d            pem   done   sort   Sample Output   2014-12-19   path to certs MDM Certificate pem 2015-11-13   path to certs MDM AirWatch Certificate pem   macOS didn t like the --date  or --iso-8601 flags on my system

User · Answer

With openssl   openssl x509 -enddate -noout -in file pem   The output is on the form   notAfter Nov  3 22 23 50 2014 GMT   Also see MikeW s answer for how to easily check whether the certificate has expired or not  or whether it will within a certain time period  without having to parse the date above

User · Answer

One line checking on true false if cert of domain will be expired in some time later ex  15 days   openssl x509 -checkend     24 3600 15    -noout -in  lt  openssl s client -showcerts -connect my domain com 443  lt  dev null 2 gt  dev null   openssl x509 -outform PEM  if      -eq 0    then   echo  good  else   echo  bad  fi

[linux] How to determine SSL cert expiration date from a PEM encoded certificate?

Examples related to linux

Examples related to bash

Examples related to ssl

Examples related to openssl

Examples related to certificate