How to check SSL Certificate Expiry

Eva Claes
Technical Copywriter
January 09, 2024

Imagine you're the captain of a digital ship navigating through the vast ocean of data on the internet. Your SSL certificate is like the robust hull of your ship, safeguarding precious cargo -user trust and sensitive information - against the treacherous waters of cyber threats. Now, visualize this scenario: as you're steering towards the horizon of seamless user experience, suddenly you hit the unseen iceberg of an expired SSL certificate. Chaos ensues - warnings flash across browsers, customers retreat, and Google casts a shadow on your once-prominent search rankings. To avoid this catastrophic fate, it's integral to keep a vigilant eye on the expiration date of your SSL certificate. Professionals in the IT realm understand the dire consequences of oversight in this area. This article sets sail to demonstrate how to check SSL certificate expiry using the OpenSSL command, a necessary skill to ensure that your website remains a trustworthy haven in the digital expanse.

Checking SSL Certificate Expiry with OpenSSL

Checking the expiry date of an SSL certificate is crucial in order to avoid service interruptions and maintain website security. OpenSSL is a robust tool that can help IT professionals manage this task efficiently.

To begin the process from the Linux command line, the following command can be used to retrieve the SSL certificate information from a given server:

$ openssl s_client -connect watchsumo.com:443 -servername watchsumo.com </dev/null 2>/dev/null | openssl x509 -noout -dates
notBefore=Dec 11 10:54:49 2023 GMT
notAfter=Mar 10 10:54:48 2024 GMT

Replace watchsumo.com with the domain name of the website you are querying. This command performs the following actions:

  • openssl s_client: This command is a diagnostic tool that provides information about the SSL connection, including the SSL certificate itself.
  • connect watchsumo.com:443: It specifies the host and port to connect to.
  • servername watchsumo.com: This is for SNI (Server Name Indication) which allows you to specify the hostname to which you are connecting, typically it will be the same as the host.
  • openssl x509 -noout -dates: This part of the command is responsible for extracting the validity dates from the SSL certificate.

Upon execution, two dates will be returned:

  • notBefore: This is the date from which the SSL certificate is valid.
  • notAfter: This is the expiry date of the certificate.

It is importand to replace the certifcate well before the notAfter date, as once this is reached browsers will not longer trust the certificate and users will not be able to access your website.

Examining a SSL Certificate file

If you have a certificate file, which commonly have .crt or .pem extensions, you can obtain detailed information about your SSL certificate, including its expiration date with the following command. This is useful when replacing a certificate, to ensure the new certificate is valid.

$ openssl x509 -in your_certificate.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:fc:dc:40:9c:75:ec:35:d6:ab:94:38
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Dec 11 10:54:49 2023 GMT
            Not After : Mar 10 10:54:48 2024 GMT
        Subject: CN=watchsumo.com
...

When executing this command, you'll need to replace certificate.crt with the actual path and filename of your SSL certificate. The command performs the following actions:

  • openssl x509: This specifies that you are using the x509 certificate display and handling tool, which is part of the OpenSSL suite.
  • in certificate.crt: This option specifies the certificate file that you want to check.
  • text: This option signifies that you wish to view the complete details of the certificate in human-readable text form.
  • noout: This prevents the encoded version of the certificate from being output, leaving only the text information.

The execution of this command provides you with a comprehensive overview of the certificate's contents, including:

  • Subject: The entity to which the SSL certificate was issued.
  • Issuer: The certificate authority (CA) that issued the SSL certificate.
  • Validity: The dates for which the certificate is valid, including:
    • Not Before: The date from which the certificate is valid.
    • Not After: The certificate's expiry date.
  • Public Key: Details about the key, such as the algorithm and size.
  • Signature Algorithm: The algorithm used to sign the certificate.

The Importance of Monitoring SSL Certificates

Maintenance of SSL certificates is not just a one-time set-up task but a critical ongoing process. With a staggering 81% of companies experiencing a certificate-related outage in the past two years, this is a common yet preventable issue. SSL certificates are the backbone of secure communication on the internet, ensuring data transferred between web servers and browsers remains private and integral.

SSL certificate outages can lead to dire consequences such as:

  • Interruptions in Website Availability: Every minute of downtime can translate to lost revenue and customer trust.
  • Security Warnings: Browsers display warnings to users when they visit sites with expired certificates, potentially turning customers away.
  • Search Ranking Penalties: Search engines penalize websites with expired SSL certificates, lowering your site's visibility.
  • Increased Vulnerability to Cyber Attacks: An expired certificate can be an entry point for cybercriminals to exploit.

In an environment where uptime and security are paramount, employing a robust monitoring service like WatchSumo is a strategic move. Such services provide continuous monitoring of SSL certificates, ensuring that the certificates are up to date. WatchSumo not only sends your timely alerts before your SSL certificate expires, but it can also alert you to other configuration errors that could prevent it from being trusted by browsers, which helps businesses avoid unexpected downtime and maintain the integrity of their online presence.

Conclusion

In the digital voyage of maintaining a secure website, the monitoring of SSL certificates is a beacon of necessity. Timely renewal and management of SSL certificates are paramount to shield your digital platform from trust erosion and operational disruptions. Proactive SSL certificate monitoring with solutions like WatchSumo is a commendable strategy, offering automated vigilance and prompt alerts to champion uninterrupted service and enduring website integrity. Embrace such measures to ensure that your website does not merely survive but thrives in the competitive seas of the worldwide web.