Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to determine SSL cert expiration date from a PEM encoded certificate?

If I have the actual file and a Bash shell in Mac or Linux, how can I query the cert file for when it will expire? Not a web site, but actually the certificate file itself, assuming I have the csr, key, pem and chain files.

like image 630
GL2014 Avatar asked Jan 23 '14 01:01

GL2014


People also ask

How do I view my PEM certification?

Certificate Decoder A PEM encoded certificate is a block of encoded text that contains all of the certificate information and public key. Another simple way to view the information in a certificate on a Windows machine is to just double-click the certificate file.

Is PEM a key or cert?

pem contains the private encryption key. cert.


2 Answers

With openssl:

openssl x509 -enddate -noout -in file.pem 

The output is on the form:

notAfter=Nov  3 22:23:50 2014 GMT 

Also see MikeW's answer for how to easily check whether the certificate has expired or not, or whether it will within a certain time period, without having to parse the date above.

like image 59
that other guy Avatar answered Sep 22 '22 00:09

that other guy


If you just want to know whether the certificate has expired (or will do so within the next N seconds), the -checkend <seconds> option to openssl x509 will tell you:

if openssl x509 -checkend 86400 -noout -in file.pem then   echo "Certificate is good for another day!" else   echo "Certificate has expired or will do so within 24 hours!"   echo "(or is invalid/not found)" fi 

This saves having to do date/time comparisons yourself.

openssl will return an exit code of 0 (zero) if the certificate has not expired and will not do so for the next 86400 seconds, in the example above. If the certificate will have expired or has already done so - or some other error like an invalid/nonexistent file - the return code is 1.

(Of course, it assumes the time/date is set correctly)

Be aware that older versions of openssl have a bug which means if the time specified in checkend is too large, 0 will always be returned (https://github.com/openssl/openssl/issues/6180).

like image 24
MikeW Avatar answered Sep 22 '22 00:09

MikeW