Check SSL Certificate expiration from command line

Check SSL Certificate expiration from command line

Get the expiration of a certificate file

If you've ever had a certificate file and you weren't sure when it expires, you might not want to install it just to check. Instead, you can run the following command and it will show you the expiration date and time of the certificate

Get expiration of certificate file 
openssl x509 -noout -in file.crt -enddate
This works for any pem format (.crt and .pem) certificates

Get the expiration of a certificate in use by a service

When a certificate is in use on a running service, you can get its expiration date with a similar command. This can also be useful for monitoring your certificates.

Depending on the service, the command might vary slightly. Here are some examples:

HTTPS 
echo | openssl s_client -servername hostname.com -connect hostname.com:443 2>/dev/null | openssl x509 -noout -enddate
The servername parameter provides the SNI hostname needed for name based virtual hosts
POP3 
echo | openssl s_client -connect hostname.com:995 2>/dev/null | openssl x509 -noout -enddate
IMAP 
echo | openssl s_client -connect hostname.com:993 2>/dev/null | openssl x509 -noout -enddate
SMTPS 
echo | openssl s_client -connect hostname.com:465 2>/dev/null | openssl x509 -noout -enddate
Note that port 465 is no longer supposed to be used for SMTPS.
SMTP with STARTTLS 
echo | openssl s_client -starttls smtp -connect hostname.com:587 2>/dev/null | openssl x509 -noout -enddate

You can further parse the output of these commands if you do want to automate monitoring of the expiration of your certificates.