How to check TLS/SSL certificate expiration date from command-line

How to check TLS/SSL certificate expiration date from command-line

 

How to check TLS/SSL certificate expiration date from command-line

How do I examine the TLS/SSL certificates expiration date from my Linux or Unix shell immediate? How can I discover the TLS certificates expiry date from Linux or Unix shell scripts?

We will shortly remedy TLS or SSL certificates points by checking the certificates’s expiration from the command line. Allow us to see decide TLS or SSL certificates expiration date from a PEM encoded certificates file and stay manufacturing web site/area title too when utilizing Linux, *BSD, macOS or Unix-like system.

ADVERTISEMENTS

How you can examine TLS/SSL certificates expiration date from command-line

To examine the SSL certificates expiration date, we’re going to use the OpenSSL command-line consumer. OpenSSL consumer supplies tons of knowledge, together with validity dates, expiry dates, who issued the TLS/SSL certificates, and far more.

Verify the expiration date of an SSL or TLS certificates

Open the Terminal software after which run the next command:
$ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
$ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
Allow us to discover out expiration date for www.nixcraft.com, enter:

DOM=”www.nixcraft.com”
PORT=”443″
openssl s_client -servername $DOM -connect $DOM:$PORT
| openssl x509 -noout -dates

Pattern outputs indicating dates and different info:

depth=2 O = Digital Signature Belief Co., CN = DST Root CA X3
confirm return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
confirm return:1
depth=Zero CN = www.nixcraft.com
confirm return:1
notBefore=Sep 29 23:10:07 2020 GMT
notAfter=Dec 28 23:10:07 2020 GMT

Add the echo command to keep away from urgent the CTRL+C. For example:

DOM=”www.cyberciti.biz”
PORT=”443″
## observe echo added ##
echo | openssl s_client -servername $DOM -connect $DOM:$PORT
| openssl x509 -noout -dates

How to check TLS/SSL certificate expiration date from command-line

OpenSSL in motion: Verify the TLS/SSL certificates expiration date and time

Understanding openssl command choices

The openssl is a really helpful diagnostic instrument for TLS and SSL servers. The openssl command-line choices are as follows:

  1. s_client : The s_client command implements a generic SSL/TLS consumer which connects to a distant host utilizing SSL/TLS.
  2. -servername $DOM : Set the TLS SNI (Server Identify Indication) extension within the ClientHello message to the given worth.
  3. -connect $DOM:$PORT : This specifies the host ($DOM) and non-obligatory port ($PORT) to hook up with.
  4. x509 : Run certificates show and signing utility.
  5. -noout : Prevents output of the encoded model of the certificates.
  6. -dates : Prints out the beginning and expiry dates of a TLS or SSL certificates.

Discovering SSL certificates expiration date from a PEM encoded certificates file

The syntax is as follows question the certificates file for when the TLS/SSL certifation will expire
$ openssl x509 -enddate -noout -in {/path/to/my/my.pem}
$ openssl x509 -enddate -noout -in /and so forth/nginx/ssl/www.cyberciti.biz.fullchain.cer.ecc
$ openssl x509 -enddate -noout -in /and so forth/nginx/ssl/www.nixcraft.com.fullchain.cer

notAfter=Dec 29 23:48:42 2020 GMT

We will additionally examine if the certificates expires inside the given timeframe. For instance, discover out if the TLS/SSL certificates expires inside subsequent 7 days (604800 seconds):
$ openssl x509 -enddate -noout -in my.pem -checkend 604800
# Verify if the TLS/SSL cert will expire in subsequent four months #
openssl x509 -enddate -noout -in my.pem -checkend 10520000

How to check TLS/SSL certificate expiration date from command-line

Discovering out whether or not the TLS/SSL certificates has expired or will expiery so inside the subsequent N days in seconds.

Shell script to find out SSL certificates expiration date from the crt file itself and alert sysadmin

Here’s a pattern shell script:

#!/bin/bash
# Function: Alert sysadmin/developer concerning the TLS/SSL cert expiry date prematurely
# Writer: Vivek Gite {https://www.cyberciti.biz/} beneath GPL v2.x+
# ——————————————————————————-
PEM=”/and so forth/nginx/ssl/letsencrypt/cyberciti.biz/cyberciti.biz.fullchain.cer”# 7 days in seconds
DAYS=”604800″

# E mail settings
_sub=”$PEM will expire inside $DAYS (7 days).”
_from=”[email protected]
_to=”[email protected]
_openssl=”/usr/bin/openssl”
$_openssl x509 -enddate -noout -in “$PEM” -checkend “$DAYS” | grep -q ‘Certificates will expire’

# Ship electronic mail and push message to my cellular
if [ $? -eq 0 ]
then
echo “${_sub}”
mail -s “$_sub” -r “$_from” “$_to” <<< “Warning: The TLS/SSL certificates ($PEM) will expire quickly on $HOSTNAME [$(date)]” # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ # supply ~/bin/cli_app.sh push_to_mobile “$0” “$_sub. See $_to electronic mail for detailed log. — $HOSTNAME ” >/dev/null
fi

See ship push notifications to your cellphone from script. In fact, you want a working SMTP server to route electronic mail. At work we configured AWS SES with Postfix MTA to route all alert emails. See the next tutorials for extra details about sending emails from the CLI:

Say hey to testssl and ssl-cert-check script

We will use testssl shell script, which is a free command line instrument which checks a server’s service on any port for the assist of TLS/SSL ciphers, protocols in addition to latest cryptographic flaws and extra. Obtain and run it as follows:
$ wget https://testssl.sh/testssl.sh
$ chmod +x testssl.sh
$ testssl.sh –fast –parallel https://www.cyberciti.biz/
Another choice is to run ssl-cert-check script, which is a Bourne shell script that can be utilized to report on expiring SSL certificates. The script was designed to be run from cron and might e-mail warnings or log alerts by means of nagios.

Conclusion

On this fast tutorial, you discovered discover the TLS/SSL certification expiration date from a PEM encoded certificates file, together with stay DNS title. Expired TLS/SSL certificates may cause downtime and confusion for end-users. Therefore, it’s essential to watch the expiry date for our TLS/SSL certificates. See the next man pages:
$ man x509
$ man s_client

? Get the newest tutorials on SysAdmin, Linux/Unix, Open Supply/DevOps subjects:

ADVERTISEMENTS

openssl check certificate expiration p12,openssl check certificate expiration crt,openssl set expiration date,aix ssl certificate location,check expiry of private key,openssl update certificate expiration date,openssl days to expire,check letsencrypt status,let's encrypt check status,crt date,how to check pfx certificate validity,check ssl certificate command line windows,how to check ssl certificate in linux,openssl check certificate details,x509_get_notafter,how to check p12 certificate expiration date,ssl-cert-check command not found,check certificate expiration date powershell,openssl enddate format,ssl certificate validity period,certificate check online,how to check ssl certificate on linux server,how to check website certificate in chrome,script to monitor ssl certificate expiration,check the certificate status and expiration date in your browser,script to check ssl certificate expiration date and email,how to check ssl certificate expire,how to check jks certificate expiration date in linux,openssl check pem certificate expiration,check root certificate expiration date,how to check tls certificate,check ssl certificate openssl

More Stories
Python Dictionaries – Linux Hint