Check an SSL Certificate with OpenSSL
Inspect any SSL/TLS certificate from the command line with OpenSSL — or check it instantly with the tool below.
View certificate expiration dates
Connect to the server and print only the validity window. The notBefore and notAfter values are the start and expiry dates of the certificate.
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -datesShow the issuer and subject
See who the certificate was issued to and which certificate authority signed it.
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -issuer -subjectPrint the full certificate details
Dump everything — serial number, signature algorithm, extensions, and the Subject Alternative Names the certificate covers.
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -textInspect a local certificate file
Already have the .crt or .pem file? Read it directly without connecting to a server.
openssl x509 -in certificate.crt -noout -dates -issuer -subjectFail if the certificate expires soon
Useful in scripts and cron jobs: checkend returns a non-zero exit code when the certificate expires within the given number of seconds (here, 7 days).
openssl x509 -in certificate.crt -noout -checkend 604800Frequently asked questions
How do I check only the SSL expiration date with OpenSSL?
Pipe the connection into "openssl x509 -noout -dates" — the notAfter value is the expiry date.
What does the -servername flag do?
It sends SNI, so servers hosting multiple sites return the correct certificate for your domain.
Is there an easier way than OpenSSL?
Yes — enter your domain in the checker above to see the same details instantly, with no command line needed.
Monitor your certificates automatically
Create a free account to monitor up to 100 domains and get email alerts before any certificate expires.
Start monitoring free