OpenSSL: Check SSL Certificate Expiration Date and Get more info

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"

I will keep this tutorial short and easy to follow. With OpenSSL commands, So we can get much information from a https site like the certificate expiration date, the issuer of the certificates and fingerprint, and more things Lets start now .

So How to get Full ssl information data from an https site

openssl s_client -servername NAME -connect HOST:PORT

-servername is optional but you can use it to put the fqdn name

-connect host:port . it the website and port in most situations is 443, else put the real SSL port

Also Get full Certificate data with OpenSSL

openssl s_client -servername unixcop.com  -connect unixcop.com:443
CONNECTED(00000004)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = unixcop.com
verify return:1
---
Certificate chain
 0 s:CN = unixcop.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgISBFQRFmfTSdVTX55lc1IttlfZMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA4MjAxNDIwNTJaFw0yMTExMTgxNDIwNTFaMBYxFDASBgNVBAMT
C3VuaXhjb3AuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Mbt
LWf/Eu/1JzFoDSWKg/qFkOl5ByjIZ5EcGi8jv6EeDIToYNbgVHdcbSszigIyv6Z4
/CvZuxyAlOqBhxjKhtL4zuPFgLuE2UEX5dyiBP0MzuNR/xFXX/3iaJKoptuQTmJJ
FZ1fwWHsPWtGvI8ZGdBH8r0rPMvACcs0+SDDF3/tcpQg2tz3hxZwFTuWyQ8zQvui
XHtq724gjPGvr3huJ74Q6d/Uj/pgrHHFyke+f0FvlUnUdVT8UeTIlz7WOKP/cieh
NpJ+S7FyPaxuztuJqBwQwQtXHy8NNcZyzVMqOtGnODJG/k9WqrpvZgpig+b9ReQT
iV8XpJO7MeGESTB1cwIDAQABo4ICVzCCAlMwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBSWxY3A0mjbpTe02TPrp+y/vWkcaDAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAn
BgNVHREEIDAeggt1bml4Y29wLmNvbYIPd3d3LnVuaXhjb3AuY29tMEwGA1UdIARF
MEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6
Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUA
RJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF7ZCaLIwAABAMARjBE
AiAFljtSwllL7T20p2oOAKXiemCvk3mYURJLqULiEdI7VQIgVwzoGReeSFFPJB8N
urF+Q8npj/giaucw3q0dTbXHTSAAdwB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5q
l2iZfiLw1wAAAXtkJosyAAAEAwBIMEYCIQDL4Cw/6iK8pWFlATSBdlkQtVj2hrKk
QDLZuw2wELXlmgIhAPRE9slgsqH8Bt5LlGAJ2CLeFQYxs79IZuuwxxMDFTRWMA0G
CSqGSIb3DQEBCwUAA4IBAQB5BTtp1BzuNCHEoi/S4ESt9O5gnu3KieMpWQ9ranH8
7XFgK+b4KNcy4r/H399u+auLhBxC4/+cR91Dh6hpTERhrcjENnWrTLgUrnSX/Kse
nsrFOUggjx12zB7hcC+iENixbFRjREDZOWZ9HOPEiaw6+GhFYEVRR9drpihamvQu
P0GBheT712z95yAc4BkiTUN5JBlj4D0f/zhIzpIPkJoYY+oxJ8qMmSUgD8wrtzVD
MqlcJWrQoZycLB7ZxICG9uqkCFoij+LaFaQsoIWElXMpsQ5Yo+AUkZeLF5R6HZE4
Q9CNy8wYRMsO1SYtMMmqI1jitdrVWsTacPcJhSjtPDFV
-----END CERTIFICATE-----
subject=CN = unixcop.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4674 bytes and written 408 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: CFDB4E84054B0B5F580C96198CE25DAFE3BD7FE54DC92B03B6C4482D324D1D43
    Session-ID-ctx:
    Master-Key: 825683C91BB0D2EA44E38C57446D5B9896CFB7B23CD5E5F3CCD070C09A56E5B00655BC686D31E4954A7D889EF21D2083
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 98 a5 75 00 cb 44 c0 4d-ce 6f c2 1e b1 b9 6e 48   ..u..D.M.o....nH
    0010 - 25 69 11 0d 46 d0 e5 c5-e5 1e 1e 45 1d 06 8a cf   %i..F......E....
    0020 - 56 5c 4c 30 37 f6 7a a3-56 5d 5c 75 a0 d2 7f 71   V\L07.z.V]\u...q
    0030 - 53 b1 f7 a1 41 3e 95 01-12 95 30 05 cc 30 a0 f1   S...A>....0..0..
    0040 - 7e b7 44 14 3c c2 8e 77-66 48 bc a7 b1 f5 96 62   ~.D.<..wfH.....b
    0050 - ce 1b 9c 35 e8 17 fc 61-4b 7b a3 60 d7 b8 bd 76   ...5...aK{.`...v
    0060 - dc 54 71 95 3a 4d 7f 13-07 bd 4c 20 95 7a c5 a5   .Tq.:M....L .z..
    0070 - 84 42 56 aa 7b 02 22 59-56 3a 11 3d 5f ee e5 1a   .BV.{."YV:.=_...
    0080 - 7d 80 c1 1a 7b 74 56 cd-89 cf 2e 7f 5a fd 2f 81   }...{tV.....Z./.
    0090 - 0a 8e 14 88 14 be ae 4b-3d 03 83 49 d8 c9 a0 cc   .......K=..I....
    00a0 - ac 0b 07 ff 06 4e 8e cc-8b a4 48 b2 03 10 30 29   .....N....H...0)
    00b0 - 56 9f f5 ca fa ca 80 75-a5 fd 61 1a 9a 2d 17 40   V......u..a..-.@

    Start Time: 1633592990
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

OpenSSL: Check SSL Certificate Expiration Date

So Please run the command to see the expiration in one command

echo| openssl s_client -connect www.google.com:443 2> /dev/null | openssl x509 -noout -dates
notBefore=Sep 13 04:07:13 2021 GMT
notAfter=Nov 20 04:07:12 2021 GMT

Find the SSL Certificate issuer

echo | openssl s_client -connect www.unixcop.com:443 2> /dev/null| openssl x509 -noout -issuer

Find whom the SSL certificate is issued to

echo| openssl s_client -connect www.unixcop.com:443 2> /dev/null | openssl x509 -noout -subject

Get above things at once.

echo | openssl s_client -connect www.unixcop.com:443  2> /dev/null | openssl x509 -noout -issuer -subject -dates

Show the SHA1 fingerprint of the SSL certificate

echo|openssl s_client -connect www.unixcop.com:443 2>/dev/null|openssl x509 -noout -fingerprint
SHA1 Fingerprint=94:D8:81:F7:97:AD:31:F9:BB:56:74:F8:A1:1B:97:50:64:1F:F5:85

Extract all information from the SSL certificate

echo|openssl s_client -connect www.unixcop.com:443 2>/dev/null|openssl x509  -noout -text

Show the SSL certificate itself 

echo|openssl s_client -connect www.unixcop.com:443 2>/dev/null|openssl x509

In addition to here are the most used options with openssl you can see things with man openssl



Option

Description
-textPrints out the certificate in text form.
-nooutPrevents output of the encoded version of the request.
-subjectOutputs the name.
-issuerOutputs the issuer name.
-datesPrints out the start and expiry dates of a certificate.
-fingerprintPrints out the digest of the DER encoded version of the whole certificate.

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"
Mel
Melhttps://unixcop.com
Unix/Linux Guru and FOSS supporter

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook