Checking HTTPS (SSL) Certificate Expiry with OpenSSL CLI

Introduction

In the world of web security, SSL/TLS certificates play a crucial role in ensuring secure communication between clients and servers. An expired SSL/TLS certificate can disrupt services and undermine the trustworthiness of a website. Hence, monitoring the validity of these certificates is essential. One effective way to check SSL certificate expiry is by using the OpenSSL command-line utility. OpenSSL is a robust toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, and it provides a comprehensive set of tools for managing and interacting with cryptographic systems. In this article, we’ll explore how to use OpenSSL to check the expiry date of an SSL certificate from a given domain name.

Using OpenSSL to Check SSL Certificate Expiry

To check the expiration date of an SSL certificate for a specific domain, you can use the `s_client` and `x509` commands provided by OpenSSL. Here’s a step-by-step guide:

 1. Open a Terminal

First, ensure that you have OpenSSL installed on your system. Most Unix-based systems come with OpenSSL pre-installed. If it’s not installed, you can install it using your package manager.

2. Check the SSL Certificate

You can check the certificate details, including the expiration date, by running the following command:

echo | openssl s_client -connect domainName:443 -servername 2>/dev/null | openssl x509 -noout -dates

Replace `domainName` with the domain name you want to check. Let’s break down what this command does:

`echo |`: Sends an empty input to the following command.
`openssl s_client -connect domainName:443 -servername `: This part establishes a connection to the specified domain over port 443 (the default port for HTTPS) and initiates an SSL/TLS handshake.
`2>/dev/null`: Suppresses any error messages.
`| openssl x509 -noout -dates`: Pipes the certificate details to the `x509` command, which extracts and displays the certificate’s validity dates without additional output.

3. Interpreting the Output

The output will contain two lines:

notBefore=YYYYMMDDHHMMSSZ
notAfter=YYYYMMDDHHMMSSZ

– `notBefore`: The date and time when the certificate becomes valid.
– `notAfter`: The expiration date and time of the certificate.

For example:

notBefore=2023-05-01T12:00:00Z
notAfter=2024-05-01T12:00:00Z

This output indicates that the certificate is valid from May 1, 2023, to May 1, 2024.

Source Code and GitHub Action

The source code is already created for this in GitHub repository and publicly available to reuse. I’ve also created GitHub action workflow so you can test the code, fork it and reuse it. The summary report will be displayed something like below example output.

sslcheck-output

Conclusion

Monitoring SSL/TLS certificate expiration is a vital practice for maintaining the security and reliability of web services. The OpenSSL CLI provides a straightforward method for checking certificate details, including expiration dates. By regularly verifying the status of your certificates, you can ensure uninterrupted service and maintain the trust of your users. Remember to renew your certificates before they expire to avoid potential security risks and disruptions. Whether you’re managing a small personal website or a large-scale web application, tools like OpenSSL are indispensable for web security maintenance.



Leave a Reply

Your email address will not be published. Required fields are marked *

*