How can I get the expiration date of a certificate in a keychain from the command line?

I'm looking for a way to get the expiration date of a certificate from the command line. The certificate is in the default 'login' keychain and I know its name. How can I do this?


GuyGizmo's answer doesn't seem to work with Xcode 10.1 tools on macOS 10.14.4. I pulled this way together after a few tries.

Since I was trying to find out when my developer code signing certificate expires from the command line, I could readily look at apps that I had signed:

codesign --display --verbose --extract-certificates /path/to/dir.app

That tells you a certain amount about the app, and extracts the embedded signing certificate (without its private key, so there's no need for passwords) to a file called codesign0 in the current directory, in DER format. The other certificates in the chain of trust are extracted to codesign1, codesign2 and so on, for as many as are needed. It's probably best to remove them once you've finished with them.

You can then use the OpenSSL command-line tool to get the expiry date:

openssl x509 -inform der -in codesign0 -enddate -noout

Which prints a result like:

notAfter=June 8 10:37:33 2020 GMT

Another way to get the same information from the codesign0 file, in a format that may be easier to parse with a programming language, is:

openssl asn1parse -in codesign0 -inform der | grep UTCTIME

That will show you the beginning and ending dates in ASN.1 UTC time format, which is usually YYMMDDhhmmssZ in an Apple code signing certificate. Yes, the two-digit year does mean an ASN.1 UTC time wraps around every century.