Jump to content
Kev

How to check TLS/SSL certificate expiration date from command-line

Recommended Posts

terminal.png

How do I check the TLS/SSL certificate expiration date from my Linux or Unix shell prompt? How can I find the TLS certificate expiry date from Linux or Unix shell scripts?

We can quickly solve TLS or SSL certificate issues by checking the certificate’s expiration from the command line. Let us see how to determine TLS or SSL certificate expiration date from a PEM encoded certificate file and live production website/domain name too when using Linux, *BSD, macOS or Unix-like system.

 

 

How to check TLS/SSL certificate expiration date from command-line

 

To check the SSL certificate expiration date, we are going to use the OpenSSL command-line client. OpenSSL client provides tons of data, including validity dates, expiry dates, who issued the TLS/SSL certificate, and much more.

 

Check the expiration date of an SSL or TLS certificate

Open the Terminal application and then run the following command:

 

$ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
$ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates

 

Let us find out expiration date for www.nixcraft.com, enter:

 

DOM="www.nixcraft.com"
PORT="443"
openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates

 

Sample outputs indicating dates and other information:

 

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.nixcraft.com
verify return:1
notBefore=Sep 29 23:10:07 2020 GMT
notAfter=Dec 28 23:10:07 2020 GMT

 

Add the echo command to avoid pressing the CTRL+C. For instance:

 

DOM="www.cyberciti.biz"
PORT="443"
## note echo added ##
echo | openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates

 

How-to-check-the-expiration-date-of-an-S

 

OpenSSL in action: Check the TLS/SSL certificate expiration date and time

 

Understanding openssl command options

The openssl is a very useful diagnostic tool for TLS and SSL servers. The openssl command-line options are as follows:

s_client : The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.

  1. -servername $DOM : Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value.
  2. -connect $DOM:$PORT : This specifies the host ($DOM) and optional port ($PORT) to connect to.
  3. x509 : Run certificate display and signing utility.
  4. -noout : Prevents output of the encoded version of the certificate.
  5. -dates : Prints out the start and expiry dates of a TLS or SSL certificate.

 

Finding SSL certificate expiration date from a PEM encoded certificate file

The syntax is as follows query the certificate file for when the TLS/SSL certifation will expire

 

$ openssl x509 -enddate -noout -in {/path/to/my/my.pem}
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.cyberciti.biz.fullchain.cer.ecc
$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.nixcraft.com.fullchain.cer

 

notAfter=Dec 29 23:48:42 2020 GMT

 

We can also check if the certificate expires within the given timeframe. For example, find out if the TLS/SSL certificate expires within next 7 days (604800 seconds):

 

$ openssl x509 -enddate -noout -in my.pem -checkend 604800
# Check if the TLS/SSL cert will expire in next 4 months #
openssl x509 -enddate -noout -in my.pem -checkend 10520000

 

How-to-check-TLS-and-SSL-certificate-exp

 

Finding out whether the TLS/SSL certificate has expired or will expiery so within the next N days in seconds.

 

 

Shell script to determine SSL certificate expiration date from the crt file itself and alert sysadmin

Here is a sample shell script:

 

#!/bin/bash
# Purpose: Alert sysadmin/developer about the TLS/SSL cert expiry date in advance
# Author: Vivek Gite {https://www.cyberciti.biz/} under GPL v2.x+
# -------------------------------------------------------------------------------
PEM="/etc/nginx/ssl/letsencrypt/cyberciti.biz/cyberciti.biz.fullchain.cer"
# 7 days in seconds
DAYS="604800"
# Email settings
_sub="$PEM will expire within $DAYS (7 days)."
_from="system-account@your-dommain"
_to="sysadmin@your-domain"
_openssl="/usr/bin/openssl"
$_openssl x509 -enddate -noout -in "$PEM" -checkend "$DAYS" | grep -q 'Certificate will expire'
# Send email and push message to my mobile
if [ $? -eq 0 ]
then
echo "${_sub}"
mail -s "$_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($PEM) will expire soon on $HOSTNAME [$(date)]"
# See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
source ~/bin/cli_app.sh
push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
fi

 

See how to send push notifications to your phone from script. Of course, you need a working SMTP server to route email. At work we configured AWS SES with Postfix MTA to route all alert emails. See the following tutorials for more information about sending emails from the CLI:

 

Say hello to testssl and ssl-cert-check script

We can use testssl shell script, which is a free command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more. Download and run it as follows:

 

$ wget https://testssl.sh/testssl.sh
$ chmod +x testssl.sh
$ testssl.sh --fast --parallel https://www.cyberciti.biz/

 

Another option is to run ssl-cert-check script, which is a Bourne shell script that can be used to report on expiring SSL certificates. The script was designed to be run from cron and can e-mail warnings or log alerts through nagios.

 

Conclusion

In this quick tutorial, you learned how to find the TLS/SSL certification expiration date from a PEM encoded certificate file, including live DNS name. Expired TLS/SSL certificates can cause downtime and confusion for end-users. Hence, it is crucial to monitor the expiry date for our TLS/SSL certificates. See the following man pages:

 

$ man x509
$ man s_client

 

Source

  • Upvote 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...