How to check the certificate expiration date using the openssl command and options

2022.09.13

Osaka Office

table of contents

1 Execution environment
2 Check "locally" or "remotely" using the openssl command
- 2.1 Local environment
- 2.2 Remote Environment
3 Commands and options that other people use
- 3.1 command
- 3.2 option
4 lastly
5 Next article
- 5.1 Reference materials

Hello. I'm Naka from the System Solutions Department at Beyond Co., Ltd

The Beyond Blog you are viewing is HTTPS. HTTPS has become widespread over the past decade, and the number of HTTP sites has decreased significantly

Currently, the "SSL certificate" required for HTTPS is generally renewed every year, so regular renewal work is required. Many people check the validity period of the SSL certificate using their browser at that time

However, there are naturally some people who want to check using commands because "browsers are unreliable, so I want to check using commands" or "I can't check using a browser because I'm in development and haven't opened any ports to the outside." However, when searching for commands that are only used occasionally, a certain problem arises

"How do people use commands and options vary slightly? What's the difference?" "
Even if I type man, there are so many options I don't understand."

For those of you who are interested, we would like to explain the meaning and usage of options that are commonly used with the openssl command when checking SSL certificates

Execution environment

・OS: AlmaLinux8 (WSL2 environment)
・Shell: bash
・OpenSSL: OpenSSL 1.1.1k FIPS 25 Mar 2021

Check "locally" or "remotely" using the openssl command

The openssl command is developed and published by the OpenSSL project, and is available by default in most mainstream Linux distributions. This command can do a lot of things, but in this case we will use it to check the expiration date of an SSL certificate

Also, when using this command to check, there are two methods: "checking the SSL certificate locally" and "checking the SSL certificate remotely from outside."

First, let me explain the local area

Local environment

Here is the command I often use when checking in a local environment

The openssl command is used to read the locally stored certificate and display the common name, validity start date, and expiration date

$ openssl x509 -noout -subject -dates -in /etc/pki/tls/certs/example.crt

*Output sample subject=CN = exmaple.com *Common name (≒ domain name) notBefore=Mar 31 04:42:17 2022 GMT *Valid start date notAfter=May 2 04:42:16 2023 GMT *Expiration date

x509

When dealing with SSL certificates, use the "x509" subcommand of the "openssl" command

* "X.509" is the name of the standard format for public key certificates, so it may be easier to remember if you associate it with that

-in

When running in a local environment, you need to specify the name of the certificate to load, so use this option

-subject

This option outputs the subject field (where the common name is written) from the loaded certificate

-dates

This option outputs the validity start date and expiration date from the imported certificate

-noout

This option "Do not output information other than that specified by other options." If this option is not available, the undecrypted certificate loaded by the following command will also be displayed

As an aside, there is also a -nocert option that only hides the contents of the certificate

Remote Environment

When checking remotely, the command I often use is as follows. I use the openssl s_client command to access the target host, read the certificate from there, and display the common name and validity start and expiration dates

$openssl s_client -connect beyondjapan.com:443 < /dev/null 2> /dev/null | openssl x509 -noout -subject -dates

※Actual output subject=CN = beyondjapan.com notBefore=Mar 31 04:42:17 2022 GMT notAfter=May 2 04:42:16 2023 GMT

s_client

Use the subcommands that provide the client functions required for SSL/TLS communication

-connect host:port

Just like specifying a file using -in locally, this is an option for remote use (specifying the host and port to connect to).
*In this example, 443 (HTTPS) is used, but it can also be used to specify a port such as SMTP to check SSL/TLS connections.

< /dev/null

The "openssl s_client" command waits for input after connecting to the specified destination, so we put nothing (/dev/null) into the standard input to end the input wait. If we don't use this, it would be a hassle to terminate the command with ctrl+c, so we use it

*This is not an option but a specification regarding the standard input of the shell (bash in this environment)

2> /dev/null

This outputs the standard error output (2) in Linux to nothing (/dev/null) and discards it so that it is not displayed on the shell. If you use < /dev/null in the previous step, an unnecessary error message will be displayed, so this is a measure to eliminate it

*This is not an option but a specification regarding the standard output of the shell (bash in this environment)

| openssl x509 -noout -subject -dates

Use "|" (pipe) to pass the contents of the SSL certificate received via communication to the command that reads it. The command after the pipe is almost the same as when using local mode, but since the certificate is received via a pipe, the -in option to specify the certificate to read is not used

*If the -in option is not specified, the specification of this command (x509) is to process the content passed to standard input

Commands and options that other people use

command

echo | openssl s_client -connect ~

When checking in a remote environment, I used < /dev/null to end the input wait, but this seems to be because the command to output to standard output on the shell takes priority by using echo, forcing the system to end the input wait state. The intention is the same as < /dev/null

~ | openssl x509 -text | grep "Not"

The -text option decodes the entire contents of the certificate and outputs it as text. This includes all the content that was specified and displayed individually with other options, so it is useful when you want to check the entire contents. The output is then piped to grep to output lines containing "Not"

$ openssl s_client -connect beyondjapan.com:443 < /dev/null 2> /dev/null | openssl x509 -text | grep "Not" Not Before: Mar 31 04:42:17 2022 GMT Not After : May 2 04:42:16 2023 GMT

This will output the lines for the valid start date and expiration date. Although the command is long, it is simple and should be easy to understand for those who know the basics

However, I feel that relying on grep when there are dedicated options means that you end up not researching the options as much, and your understanding of the openssl command remains stagnant, so I tend to use the command presented first

Additionally, if you try to output the domain name (common name), the command becomes less readable due to the use of regular expression options, which is a problem

option

-enddate

This option displays only the expiration date of the loaded certificate. There is also a -startdate option that displays the valid start date, but the -dates option applies both of these options at the same time, so if you don't have any particular preferences, I think -dates is fine

-text

As explained above, this option displays the certificate in text format. The output contains all the configuration information, such as the public key, signature algorithm, issuer, subject name, expiration date, etc

Patterns without -noout

In this case, the undecrypted certificate requested by the command will be displayed as is, followed by the expiration date and other information specified in the options. To be honest, we don't look at the contents of the undecrypted certificate, so it's easier to read if you leave it on

The word "CERTIFICATE" will appear in the command output, so it's clear that the certificate is being verified, which may be an advantage

< /dev/null 2> Pattern without /dev/null

It's assumed that you'll end the command with ctrl + c, and I think the intention was to prioritize ease of manual input and readability at a glance. This is probably a matter of preference, but I like to include this pattern because sometimes I accidentally type the next command without ending the command, which can mess up the output and logs

lastly

As I write this article, I realize once again that the openssl command can be very confusing because it has a lot of functions and a large number of options

This is only a small part of what can be done, and the underlying technology of encryption and authentication methods is very logical and deep. I hope that reading this article will help to alleviate some of your reservations and doubts about the openssl command!

Thank you for reading this far

Below we explain how to check the "integrity and verification results," which are often checked together with the "expiration date."

How to check certificate integrity and verification results with the openssl command and options