How to Check SSL Certificate Expiration Date Using OpenSSL in Linux

Eva Claes
Technical Copywriter
May 15, 2024

Ensuring the security of your website involves more than just implementing protective measures; it requires ongoing vigilance, especially when it comes to your SSL certificate. An expired SSL certificate can lead to browser warnings, loss of customer trust, and a significant drop in your search engine rankings. To avoid these issues, it's crucial to regularly check the expiration date of your SSL certificate.

Professionals in the IT realm understand the dire consequences of neglecting this essential task. This article will demonstrate how to check your SSL certificate expiration date using the OpenSSL command, a necessary skill to keep your website secure and trustworthy. Follow this guide to ensure that your SSL certificates are always up-to-date, preventing potential disruptions and maintaining user confidence.

OpenSSL command to check SSL Certificate Expiration Date

Checking the expiry date of an SSL certificate is crucial in order to avoid service interruptions and maintain website security. OpenSSL is a robust tool that can help IT professionals manage this task efficiently.

To begin the process from the Linux command line, the following command can be used to retrieve the SSL certificate information from a given server:

$ openssl s_client -connect watchsumo.com:443 -servername watchsumo.com </dev/null 2>/dev/null | openssl x509 -noout -dates
notBefore=Dec 11 10:54:49 2023 GMT
notAfter=Mar 10 10:54:48 2024 GMT

Replace watchsumo.com with the domain name of the website you are querying. This command performs the following actions:

  • openssl s_client: This command is a diagnostic tool that provides information about the SSL connection, including the SSL certificate itself.
  • connect watchsumo.com:443: It specifies the host and port to connect to.
  • servername watchsumo.com: This is for SNI (Server Name Indication) which allows you to specify the hostname to which you are connecting, typically it will be the same as the host.
  • openssl x509 -noout -dates: This part of the command is responsible for extracting the validity dates from the SSL certificate.

Upon execution, two dates will be returned:

  • notBefore: This is the date from which the SSL certificate is valid.
  • notAfter: This is the expiry date of the certificate.

It is importand to replace the certifcate well before the notAfter date, as once this is reached browsers will not longer trust the certificate and users will not be able to access your website.

Checking Expiry Date of a SSL Certificate file

If you have a certificate file, which commonly have .crt or .pem extensions, you can obtain detailed information about your SSL certificate, including its expiration date with the following command. This is useful when replacing a certificate, to ensure the new certificate is valid.

$ openssl x509 -in your_certificate.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:fc:dc:40:9c:75:ec:35:d6:ab:94:38
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Dec 11 10:54:49 2023 GMT
            Not After : Mar 10 10:54:48 2024 GMT
        Subject: CN=watchsumo.com
...

When executing this command, you'll need to replace certificate.crt with the actual path and filename of your SSL certificate. The command performs the following actions:

  • openssl x509: This specifies that you are using the x509 certificate display and handling tool, which is part of the OpenSSL suite.
  • in certificate.crt: This option specifies the certificate file that you want to check.
  • text: This option signifies that you wish to view the complete details of the certificate in human-readable text form.
  • noout: This prevents the encoded version of the certificate from being output, leaving only the text information.

The execution of this command provides you with a comprehensive overview of the certificate's contents, including:

  • Subject: The entity to which the SSL certificate was issued.
  • Issuer: The certificate authority (CA) that issued the SSL certificate.
  • Validity: The dates for which the certificate is valid, including:
    • Not Before: The date from which the certificate is valid.
    • Not After: The certificate's expiry date.
  • Public Key: Details about the key, such as the algorithm and size.
  • Signature Algorithm: The algorithm used to sign the certificate.

Why continuous SSL certificate monitoring is crucial for website security

Maintenance of SSL certificates is not just a one-time set-up task but a critical ongoing process. With a staggering 81% of companies experiencing a certificate-related outage in the past two years, this is a common yet preventable issue. SSL certificates are the backbone of secure communication on the internet, ensuring data transferred between web servers and browsers remains private and integral.

SSL certificate outages can lead to dire consequences such as:

  • Interruptions in Website Availability: Every minute of downtime can translate to lost revenue and customer trust.
  • Security Warnings: Browsers display warnings to users when they visit sites with expired certificates, potentially turning customers away.
  • Search Ranking Penalties: Search engines penalize websites with expired SSL certificates, lowering your site's visibility.
  • Increased Vulnerability to Cyber Attacks: An expired certificate can be an entry point for cybercriminals to exploit.

In an environment where uptime and security are paramount, employing a robust monitoring service like WatchSumo is a strategic move. Such services provide continuous monitoring of SSL certificates, ensuring that the certificates are up to date. WatchSumo not only sends your timely alerts before your SSL certificate expires, but it can also alert you to other configuration errors that could prevent it from being trusted by browsers, which helps businesses avoid unexpected downtime and maintain the integrity of their online presence.

Conclusion

In summary, monitoring your SSL certificate’s expiration date is essential for maintaining a secure and trustworthy website. Regularly checking your SSL certificates using tools like OpenSSL can prevent service interruptions, security warnings, and potential search ranking penalties. Employing proactive SSL certificate monitoring solutions like WatchSumo can further ensure that your certificates are always up-to-date, helping you avoid unexpected downtime and safeguard your online presence. By staying vigilant about SSL certificate management, you protect your website and build lasting trust with your users.