How to check the expiration date of a certificate using openssl command/option explanation

Hello. I am a member of the Beyond System Solutions Department.
This Beyond Blog that you are viewing is using HTTPS.
Over the past ten years, HTTPS has become widespread, and the number of HTTP sites has decreased considerably.

At present, the "SSL certificate" required for HTTPS conversion is generally renewed every year, so regular renewal work is required, but
at that time, check the validity period of the SSL certificate. I think many people use a browser to check.

However, I think there are some people who use commands to check because the browser is uncertain, or because they are under development and cannot open ports externally, so
I think there are people who use commands to check, but only occasionally. A certain problem occurs when searching for commands that are not used.

"The command usage and options differ slightly depending on the person, but what are the differences?"
"Even if I hit man, there are so many options that I don't understand."

For such people, I would like to explain the meaning and usage of the options that are often used with the openssl command when checking SSL certificates.

 

Execution environment

・OS: AlmaLinux8 (WSL2 environment)
・Shell: bash
・OpenSSL: OpenSSL 1.1.1k FIPS 25 Mar 2021

Check “locally” or “remotely” using openssl command

The openssl command is a command developed and published by the OpenSSL project, and is a command that can be used by default in most mainstream Linux distributions.
This command can do a lot of things, but this time we will use it to check the expiration date of an SSL certificate.

Also, when using this command to check, there are two methods: ``Check the SSL certificate locally'' and ``Check the SSL certificate remotely from outside.''
First, I will explain the former, local.

local environment

Here are the commands I often use when checking in the local environment.
The openssl command is used to read the locally stored certificate and display the common name, valid start date, and expiration date.

$ openssl x509 -noout -subject -dates -in /etc/pki/tls/certs/example.crt

*Output sample subject=CN = exmaple.com *Common name (≒ domain name) notBefore=Mar 31 04:42:17 2022 GMT *Valid start date notAfter=May 2 04:42:16 2023 GMT *Expiration date

x509

When dealing with SSL certificates, use the subcommand "x509" in the "openssl" command.

*"X.509" is the name of the standard format for public key certificates, so it may be easier to remember if you associate it with it.

-in

When running in a local environment, you need to specify the name of the certificate to load, so use this option.

-subject

This option outputs the subject field (where the common name is written) from the imported certificate.

-dates

This option outputs the validity start date and expiration date from the imported certificate.

-noout

This option "prevents outputting information other than those specified in other options."
If this option is not present, the undecrypted certificate loaded by the command below will also be displayed.

-----BEGIN CERTIFICATE----- MIIGMjCCBRqgAwIBAgIMMGPvI3CXFUjGngZcMA0GCSqGSIb3DQEBCwUAMEwxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB ~The following dozens of lines are omitted~ -----END CERTIFICATE-----

As an aside, there is also a -nocert option that is limited to not displaying the contents of the certificate.

remote environment

Here are the commands I often use when checking remotely.
I use the openssl s_client command to access the target host, read the certificate from there, and display the common name, valid start date, and expiration date.

$openssl s_client -connect beyondjapan.com:443 < /dev/null 2> /dev/null | openssl x509 -noout -subject -dates

*Actual output subject=CN = beyondjapan.com notBefore=Mar 31 04:42:17 2022 GMT notAfter=May 2 04:42:16 2023 GMT

s_client

Use subcommands that provide the client functionality required when communicating with SSL/TLS.

-connect host:port

It's an option for remote (specifying the host and port to connect to), just like you used -in locally to specify a file.
*This time we are using 443 (HTTPS), but you can also specify a port such as SMTP and use it to check the SSL/TLS connection.

< /dev/null

The ``openssl s_client'' command connects to the specified destination and then enters the ``input waiting state'', so I put nothing (/dev/null) in the standard input and end the input waiting state.
If I don't use this, I have to use ctrl+c to end the command, so I use it.
*This is not an option, but a specification regarding the standard input of the shell (bash in this environment).

2> /dev/null

This outputs the standard error output (2) on Linux to nothing (/dev/null) and discards it so that it is not displayed on the shell.
If you use < /dev/null in the previous step, an unnecessary error statement will appear, so this is to eliminate it.
*This is not an option, but a specification regarding the standard output of the shell (bash in this environment).

| openssl x509 -noout -subject -dates

Use "|" (pipe) to pass the contents of the SSL certificate received through communication to the command that reads it.
The command after pipe is almost the same as when local, but since the certificate is received via pipe, the -in option to specify the certificate to read is not used.
*If the -in option is not specified, the specification of this command (x509) is to process the contents passed to the standard input.

Commands and options used by others

command

echo | openssl s_client -connect ~

When checking in a remote environment, I used < /dev/null to end waiting for input, but
using echo gives priority to the command to output standard output on the shell, forcing input. It seems that it is left in a waiting state.
The intent is the same as < /dev/null.

~ | openssl x509 -text | grep "Not"

The -text option decrypts all the contents of the certificate and outputs it as text.
This includes all the contents specified and displayed individually with other options, so this is used when you want to check all the contents.
The output is piped to grep and the lines containing "Not" are output.

$ openssl s_client -connect beyondjapan.com:443 < /dev/null 2> /dev/null | openssl x509 -text | grep "Not" Not Before: Mar 31 04:42:17 2022 GMT Not After : May 2 04: 42:16 2023 GMT

Output the valid start date and expiry date lines like this.
Although the command is long, it is simple, so I think it is easy for those who know the command to understand.

However, even though there are dedicated options, relying on grep
means that I don't research the options much, and my understanding of the openssl command doesn't progress, so I decided to use the first command I suggested. .
Additionally, if you try to output the domain name (common name), the readability of the command will deteriorate due to the use of regular expression options, which is a problem.

option

-enddate

This is an option to display only the expiration date from the imported certificate.
There is also an option called -startdate that similarly displays the effective start date, but
since the -dates option applies both options at the same time, I think -dates is fine if you don't have any particular concerns. I am.

-text

As explained above, this is an option to display the certificate in text format.
The output includes all setting information such as public key, signature algorithm, issuer, subject name, expiration date, etc.

Patterns without -noout

In this case, the undecrypted certificate requested by the command is displayed as is, followed by the optional expiration date and so on.
Honestly, you won't be able to see the contents of a certificate that hasn't been decrypted, so it's easier to see if it's attached.
The word "CERTIFICATE" appears in the output of the command, so you can clearly see that the certificate is being verified, so that may be an advantage.

< /dev/null 2> Pattern without /dev/null

It is based on the assumption that you can end the command with ctrl + c, and it seems to be easier to input manually and easier to read at a glance, so I think that was the intention.
I feel like this is my preference, but
I like the pattern because there are times

lastly

As I was writing this article, I was reminded that the openssl command can do a lot of things, and it also has a lot of options, so it can be very confusing.
This is only a small part of what can be done, and the field of encryption and authentication methods, which are the core technologies, is itself extremely logical and profound.
I hope that by reading this article, you will be able to clear up any reluctance or doubts you may have about the openssl command!

Thank you for reading this far.

Next article

Below is an explanation of how to check the ``consistency/verification results,'' which are often checked in conjunction with the ``expiration date

How to check certificate integrity and verification results with openssl command/option explanation

How to check certificate integrity and verification results with openssl command/option explanation

Reference materials

OpenSSL official manual page for openssl-x509
https://www.openssl.org/docs/manmaster/man1/openssl-x509.html

OpenSSL (ArchWiki)
https://wiki.archlinux.jp/index.php/OpenSSL