Find out when SSL expires from a PEM file.
$ openssl x509 -enddate -noout -in your.cert notAfter=Jan 5 07:08:14 2032 GMT |
notAfter date is returned.
openssl
Check Certificate Expiration
Here’s the openssl command to find out if a cert is expired.
$ openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2> /dev/null | openssl x509 -noout -dates |
Result
notBefore=Apr 9 00:00:00 2020 GMT notAfter=Apr 9 23:59:59 2022 GMT |
OpenSSL Upgrade
Here’s how to upgrade to OpenSSL 1.1 on Redhat/Centos.
# check openssl version yum info openssl # download and install cd /usr/local/src wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz tar -zxf openssl-1.0.2-latest.tar.gz # compile cd openssl-1.0.2a ./config make make test make install # update softlink mv /usr/bin/openssl /root/ ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl # verify new version openssl version |
PFX to PEM
Here’s how to convert SSL certificate from PFX to PEM format.
#!/bin/bash echo "This script converts SSL certificates from PFX to PEM." read -p 'Enter PFX Certificate Name : ' cert_pfx read -p 'Enter the Import Passphrase : ' import_passphrase openssl pkcs12 -in $cert_pfx -nocerts -out cert-key.pem -passin pass:$import_passphrase -passout pass:$import_passphrase openssl pkcs12 -in $cert_pfx -clcerts -nokeys -out cert-body.pem -passin pass:$import_passphrase -passout pass:$import_passphrase openssl pkcs12 -in $cert_pfx -nodes -nokeys -out cert-chain.pem -passin pass:$import_passphrase -passout pass:$import_passphrase sleep 3 openssl rsa -in key.pem -out cert-private.key -passin pass:$import_passphrase -passout pass:$import_passphrase |
This was covered in an earlier post, but this script prompts you for the passphrase.
Here’s the expected output.
- cert-key.pem
- cert-body.pem
- cert-chain.pem
- cert-private.key
SSL Expiry
It’s not always clear how to find out when your SSL certificate is expiring. Openssl should be able to tell you.
$ openssl x509 -enddate -noout -in certificate.crt |