Check Certificate Expiry Date, Using OpenSSL

From RZWiki

To check a SSL certificate's start and expiry date using OpenSSL use the openssl x509 or openssl pkcs7 commands as shown below;

PEM or DER Certificates

openssl x509 -in networkstuff.crt -dates -noout

font color=bluenotBefore=Feb 14 09:12:26 2006 GMT
notAfter=Feb 14 09:12:26 2007 GMT/font

The optional -noout parameter prevents the actual certificate from being displayed.

PKCS#7 Certificates

A PKCS#7 file normally contain both the actual certificate and a CA intermediate certificate combined which can be a real pain, you might want to consider converting it. See the Convert File Formats, Using OpenSSL article for information on how.

As there is no -dates option with this command the only way to check the expiry date of the actual certificate is to view the whole thing using this command syntax;

openssl pkcs7 -in networkstuff.crt -print_certs -text

You can use grep to display only the date information (the actual certificate dates will normally be listed first, then the CA intermediate certificate dates);

openssl pkcs7 -in networkstuff.crt -print_certs -text | grep Not

font color=blueNot Before: Jan 22 00:00:00 2009 GMT
Not After : Jan 22 23:59:59 2010 GMT
Not Before: Jan 19 00:00:00 2005 GMT
Not After : Jan 18 23:59:59 2015 GMT/font

Related Articles

See the Convert File Formats, Using OpenSSL article for information on converting certificates between formats.

Our other OpenSSL articles.

Information on OpenSSL Commands.

We really do appreciate all feedback so please do send your comments, suggestions or corrections to sjiveson#routerzone.eu (replacing the # with an @)