Securing Your Linux Server: How to Check TLS/SSL Certificate Expiration Dates

Securing Your Linux Server: How to Check TLS/SSL Certificate Expiration Dates. In this article, we will learn how to check the expiration date of an SSL/TLS certificate from the command line using the OpenSSL client. The OpenSSL client provides detailed information about the validity dates, expiry dates, and issuing authority of the certificate.

To check the expiration date of an SSL/TLS certificate, open the Terminal application and run the following command:

openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates

For example, to find out the expiration date of the certificate for enterinit.com, run the following command:

DOM="enterinit.com"
PORT="443"
openssl s_client -servername $DOM -connect $DOM:$PORT | openssl x509 -noout -dates

The output will include information about the certificate’s start and expiry dates.

You can add the echo command to avoid having to press CTRL+C, as shown below:

DOM="{SITE_URL}"
PORT="443"
echo | openssl s_client -servername $DOM -connect $DOM:$PORT | openssl x509 -noout -dates

The openssl command-line options used in the above commands are as follows:

• s_client: Implements a generic SSL/TLS client that connects to a remote host using SSL/TLS.
• -servername $DOM: Sets the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value.
• -connect $DOM:$PORT: Specifies the host ($DOM) and optional port ($PORT) to connect to.
• x509: Runs certificate display and signing utility.
• -noout: Prevents output of the encoded version of the certificate.
• -dates: Prints out the start and expiry dates of a TLS or SSL certificate.

To find out the expiration date of a PEM encoded certificate file, run the following command:

openssl x509 -enddate -noout -in {/path/to/my/my.pem}

For example, to find out the expiration date of the certificate for enterinit.com, run the following command:

openssl x509 -enddate -noout -in /etc/nginx/ssl/enterinit.com

The output will include the certificate’s expiry date.

You can also check if the certificate will expire within a given timeframe. For example, to find out if the certificate will expire within the next seven days, run the following command:

openssl x509 -enddate -noout -in my.pem -checkend 604800

To check if the certificate will expire in the next four months, run the following command:

openssl x509 -enddate -noout -in my.pem -checkend 10520000

In summary, OpenSSL is a powerful diagnostic tool that provides useful information about the SSL/TLS certificates. It helps you to ensure that the certificates are valid and up-to-date, and to take timely action when necessary.