How to Check TLS/SSL Expiration Date Using OpenSSL

TLS/SSL certificates are used for encrypting websites or web applications. They provide much-needed privacy and confidentiality to users who are interacting with the webserver via a browser or on command-line. Different SSL certificates have different validity periods with the maximum being 397 days ( 1 year, 1 month, and 2 days) from 1, September 2020. Let's Encrypt provides validity of up to 90 days.

When CA ( Certificate Authority ) issues an SSL certificate, it adds to it an expiration date beyond which the certificate stops encrypting the site. If the certificate is not renewed, visitors to your site are met by an ominous warning that your connection is not private.

This tutorial shows how to check the expiration date of an SSL/TLS certificate using OpenSSL from a live website, self-signed certificate, .p12 file, and pem certificate file.

Check TLS/SSL expire date Using OpenSSL

OpenSSL is a software library for applications commonly used to generate private keys, create CSRs, install SSL/TLS certificates, and identify certificate information. OpenSSL is installed by default in most Linux Distributions.

01. To check SSL certificate expiration date on a Live website, first define and export the variables as shown.

export SITE_URL="site name"
export SITE_SSL_PORT="443"

Then use the following openssl command to display the expiration date:

$ openssl s_client -connect ${SITE_URL}:${SITE_SSL_PORT} -servername ${SITE_URL} 2> /dev/null | openssl x509 -noout -dates
check SSL certificate expiration date from live website

02. To check for the expiry date of a self-signed certificate, type:

$ cat /etc/ssl/certs/nginx.crt | openssl x509 -noout -enddate

Here, we are checking the SSL certificate applied on the Nginx web server.

The notAfter flag indicates the expiry date. For example, in the screenshot below, the expiry of the SSL certificate is May 25 2022 at 13:47:20 hours.

find ssl expiry date of self-signed certificate

03. To check the expiration date from pem encoded certificate file

$ openssl pkcs12 -in mycert.p12 -nodes | openssl x509 -noout -enddate

04. To check expiration date from a PEM certificate file, type:

$ openssl x509 -enddate -noout -in /path/file.pem


In this tutorial, we learned how to check the expiry date of an SSL certificate in a simple and convenient way using OpenSSL. In most cases, the SSL certificate vendor will notify the impending expiry of the certificate via email, upon which will be required to renew the certificate.

Leave a Comment