How to Check SSL Certificate Expiration Date Using OpenSSL

Eva Claes
Technical Copywriter
December 3, 2024

Ensuring the security of your website involves more than just implementing protective measures; it requires ongoing vigilance, especially when it comes to your SSL certificate. An expired SSL certificate can lead to browser warnings, loss of customer trust, and a significant drop in your search engine rankings. To avoid these issues, it's crucial to regularly check the expiration date of your SSL certificate.

Professionals in the IT realm understand the dire consequences of neglecting this essential task. This article demonstrates how to check your SSL certificate expiration date using the OpenSSL command, a necessary skill to keep your website secure and trustworthy. Follow this guide to ensure your SSL certificates are always up-to-date, preventing potential disruptions and maintaining user confidence.

Using OpenSSL to Check SSL Certificate Expiration Date

Regularly checking the expiry date of an SSL certificate is essential to prevent service interruptions and maintain website security. OpenSSL is a robust tool that can help IT professionals manage this task efficiently.

Checking SSL Expiration Date from a Server

To check the expiration date of an SSL certificate for a server, use the following command from the Linux command line:

$ openssl s_client -connect watchsumo.com:443 -servername watchsumo.com </dev/null 2>/dev/null | openssl x509 -noout -dates

Example output:

notBefore=Dec 11 10:54:49 2023 GMT
notAfter=Mar 10 10:54:48 2024 GMT

Explanation:

  1. openssl s_client: A diagnostic tool that retrieves SSL connection details.
  2. -connect watchsumo.com:443: Specifies the host and port to connect to.
  3. -servername watchsumo.com: Indicates the hostname for SNI (Server Name Indication).
  4. openssl x509 -noout -dates: Extracts the validity dates of the SSL certificate.

Replace watchsumo.com with the domain name you want to query.

The notBefore date indicates when the certificate becomes valid, and the notAfter date is the expiration date.

Ensure you replace your certificate well before the notAfter date to avoid interruptions!

Checking the Expiry Date of a Local Certificate File

If you have a certificate file (commonly .crt or .pem), you can check its details, including the expiration date, with this command:

$ openssl x509 -in your_certificate.crt -text -noout

Example output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:fc:dc:40:9c:75:ec:35:d6:ab:94:38
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Dec 11 10:54:49 2023 GMT
            Not After : Mar 10 10:54:48 2024 GMT
        Subject: CN=watchsumo.com

Explanation:

  1. openssl x509: Specifies the certificate tool.
  2. -in your_certificate.crt: Specifies the certificate file to analyze.
  3. -text: Outputs detailed certificate information in human-readable form.
  4. -noout: Prevents the encoded certificate data from being displayed.

Replace your_certificate.crt with the actual file path and name of your certificate. This command provides additional details like the subject, issuer, and public key.

Why Monitoring SSL Certificates Is Crucial

SSL certificates are the backbone of secure communication on the internet. However, they require continuous monitoring to avoid the following issues:

  • Interruptions in Website Availability: Downtime caused by expired certificates can lead to revenue loss and damaged customer trust.
  • Browser Security Warnings: Browsers display warnings for expired certificates, discouraging users from visiting your site.
  • Search Engine Penalties: Search engines penalize sites with expired certificates, reducing visibility.
  • Increased Cybersecurity Risks: Expired certificates create vulnerabilities that attackers can exploit.

Real-World Example:

A study shows that 81% of companies experienced certificate-related outages in the past two years. This is a preventable issue with proper monitoring.

Proactive SSL Certificate Monitoring with WatchSumo

Employing a monitoring service like WatchSumo can simplify SSL certificate management and monitor all common SSL certificate errors. WatchSumo provides:

  • Continuous Monitoring: Ensures your certificates are always valid.
  • Timely Alerts: Notifies you before certificates expire.
  • Configuration Error Detection: Identifies issues that could prevent certificates from being trusted by browsers.

With tools like WatchSumo, businesses can avoid unexpected downtime, maintain their online presence, and build trust with users.

Conclusion

Monitoring your SSL certificate expiration dates is essential for maintaining a secure and trustworthy website. Regularly checking your SSL certificates using tools like OpenSSL prevents service interruptions, security warnings, and potential search ranking penalties. For enhanced reliability, consider using SSL monitoring solutions like WatchSumo to automate this critical process. By staying vigilant about SSL certificate management, you safeguard your website, protect your users, and build lasting trust.