India English
Kenya English
United Kingdom English
South Africa English
Nigeria English
United States English
United States Español
Indonesia English
Bangladesh English
Egypt العربية
Tanzania English
Ethiopia English
Uganda English
Congo - Kinshasa English
Ghana English
Côte d’Ivoire English
Zambia English
Cameroon English
Rwanda English
Germany Deutsch
France Français
Spain Català
Spain Español
Italy Italiano
Russia Русский
Japan English
Brazil Português
Brazil Português
Mexico Español
Philippines English
Pakistan English
Turkey Türkçe
Vietnam English
Thailand English
South Korea English
Australia English
China 中文
Somalia English
Canada English
Canada Français
Netherlands Nederlands

Guide To Check Certificate Expiration Dates with OpenSSL

OpenSSL is a remarkably powerful toolkit for a wide range of cryptographic tasks on Linux, macOS, and other operating systems.

One of its core functionalities is the ability to inspect and manipulate X.509 certificates. This includes the essential task of determining when a certificate will expire with the command openssl check certificate expiration.

Why Expiration Dates Matter

  • Security: Expired SSL/TLS certificates create vulnerabilities. Browsers will display warnings, and applications might refuse to establish secure connections.
  • Compliance: Many industry standards and regulations mandate the use of valid certificates.
  • User Experience: Expiration warnings erode user trust in websites and services.

Using the OpenSSL Commands

Here are the two primary ways to use OpenSSL for checking expiration:

1. Extracting the Expiration Date


openssl x509 -in certificate.crt -text -noout | grep "Not After"
  • Replace ‘certificate.crt’ with the path to your certificate file.
  • The output will include a line like this: Not After : Nov 16 23:59:59 2024 GMT

2. Checking Validity Against a Specific Time

 openssl x509 -in certificate.crt -checkend <seconds>

* Replace `<seconds>` with the number of seconds since the Unix Epoch (January 1st, 1970). You can use online converters to find this value.
* OpenSSL will provide a clear indication of the certificate's validity at the specified time.


  • openssl x509: This OpenSSL subcommand is specifically designed for working with certificates.
  • -in certificate.crt: Tells OpenSSL which certificate file to examine.
  • -text -noout: Instructs OpenSSL to produce a human-readable text output and omit the certificate itself.
  • grep “Not After”: Filters the output to show only the expiration date line.
  • -checkend: This option tells OpenSSL to determine whether the certificate will be valid at a specified point in time.

Checking Remote Certificates

OpenSSL can even check the expiration of certificates on remote servers:


openssl s_client -connect < /dev/null | openssl x509 -noout -dates

(Replace ‘‘ with the hostname of the server you want to check)

Key Takeaways

  • openssl check certificate expiration is an indispensable tool for system administrators and web developers alike.
  • OpenSSL offers flexibility by allowing you to both extract the raw expiration date and check the validity against a specific point in time.
  • Remember that certificate expiration is just one part of proper SSL/TLS management.

Read also:


Enjoy this blog? Please spread the word :)