How to determine SSL cert expiration date from a PEM encoded certificate?

bash linux certificate ssl openssl

Solution 1:

With openssl:

openssl x509 -enddate -noout -in file.pem

The output is on the form:

notAfter=Nov  3 22:23:50 2014 GMT

Also see MikeW's answer for how to easily check whether the certificate has expired or not, or whether it will within a certain time period, without having to parse the date above.

Solution 2:

If you just want to know whether the certificate has expired (or will do so within the next N seconds), the -checkend <seconds> option to openssl x509 will tell you:

if openssl x509 -checkend 86400 -noout -in file.pem
then
  echo "Certificate is good for another day!"
else
  echo "Certificate has expired or will do so within 24 hours!"
  echo "(or is invalid/not found)"
fi

This saves having to do date/time comparisons yourself.

openssl will return an exit code of 0 (zero) if the certificate has not expired and will not do so for the next 86400 seconds, in the example above. If the certificate will have expired or has already done so - or some other error like an invalid/nonexistent file - the return code is 1.

(Of course, it assumes the time/date is set correctly)

Be aware that older versions of openssl have a bug which means if the time specified in checkend is too large, 0 will always be returned (https://github.com/openssl/openssl/issues/6180).

Related

I lose my data when the container exits
Error message "Android Gradle plugin requires Java 11 to run. You are currently using Java 1.8"
Express.js req.body undefined
Is it possible to opt-out of dark mode on iOS 13?
Text inset for UITextField?
PHP Constants Containing Arrays?
Returning unique_ptr from functions
javax vs java package
Define: What is a HashSet?
Difference between using Makefile and CMake to compile the code
Uninstall / remove a Homebrew package including all its dependencies
What's the difference between isset() and array_key_exists()? [duplicate]