Details on exact expiration datetime of an SSL certificate?

Let's say we have an SSL certificate for a site. According to a web browser, the certificate expires tomorrow, Dec 10 2011.

OK, but that glosses over time zones. When will it expire, exactly?

  • 00:00 local time of the server (e.g. ET)
  • 00:00 local time of the user browsing the site (wherever)
  • 00:00 UTC

?

(Context of question: An admin who likes to wait until the last day before expiration, to set up the new cert. Why? To "get the most value out of it", he says. I don't follow that logic, exactly, and probably he should just replace it a few days earlier? But anyway I'm concerned/curous whether the cert may stop working for some/all users, before 00:00 our local time.)


Solution 1:

Almost all cert vendors will renew a cert for the additional whole year (or whatever time frame) for a month or so before the previous expires. So if your cert was good for Dec 10, 2010 to Dec 10, 2011; you can get a new cert in November and it'll be good for Nov 20, 2011 to Dec 10, 2012. That way you don't have to worry about "getting the most value out of it".

To answer the question, certs specify the time down to the minute, and include a time zone.

You can feed your public cert through openssl x509 -in Certificate_File.pem -text and it will output the Validity range. The following is from my personal websites from last year:

Not Before: Apr 20 20:48:59 2010 GMT
Not After : Jun  5 01:52:13 2011 GMT

Solution 2:

If you want to test response from the client side or if you don't have the certificate file itself handy:

# echo | openssl s_client -connect www.example.tld:443 2>/dev/null | openssl x509 -noout -dates

notBefore=Oct  2 22:56:44 2018 GMT
notAfter=Dec 31 22:56:44 2018 GMT

(And like the other answer it will show TZ (with the date/time stamps)
You can also try this BASH script which does files & sites..