How can I get the expiration date of a certificate in a keychain from the command line?
I'm looking for a way to get the expiration date of a certificate from the command line. The certificate is in the default 'login' keychain and I know its name. How can I do this?
GuyGizmo's answer doesn't seem to work with Xcode 10.1 tools on macOS 10.14.4. I pulled this way together after a few tries.
Since I was trying to find out when my developer code signing certificate expires from the command line, I could readily look at apps that I had signed:
codesign --display --verbose --extract-certificates /path/to/dir.app
That tells you a certain amount about the app, and extracts the embedded signing certificate (without its private key, so there's no need for passwords) to a file called codesign0
in the current directory, in DER format. The other certificates in the chain of trust are extracted to codesign1
, codesign2
and so on, for as many as are needed. It's probably best to remove them once you've finished with them.
You can then use the OpenSSL command-line tool to get the expiry date:
openssl x509 -inform der -in codesign0 -enddate -noout
Which prints a result like:
notAfter=June 8 10:37:33 2020 GMT
Another way to get the same information from the codesign0
file, in a format that may be easier to parse with a programming language, is:
openssl asn1parse -in codesign0 -inform der | grep UTCTIME
That will show you the beginning and ending dates in ASN.1 UTC time format, which is usually YYMMDDhhmmssZ
in an Apple code signing certificate. Yes, the two-digit year does mean an ASN.1 UTC time wraps around every century.