Find out when SSL expires from a PEM file.
$ openssl x509 -enddate -noout -in your.cert notAfter=Jan 5 07:08:14 2032 GMT |
notAfter date is returned.
cloud engineer
Find out when SSL expires from a PEM file.
$ openssl x509 -enddate -noout -in your.cert notAfter=Jan 5 07:08:14 2032 GMT |
$ openssl x509 -enddate -noout -in your.cert notAfter=Jan 5 07:08:14 2032 GMT
notAfter date is returned.
Here’s the openssl command to find out if a cert is expired.
$ openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2> /dev/null | openssl x509 -noout -dates |
$ openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2> /dev/null | openssl x509 -noout -dates
Result
notBefore=Apr 9 00:00:00 2020 GMT notAfter=Apr 9 23:59:59 2022 GMT |
notBefore=Apr 9 00:00:00 2020 GMT notAfter=Apr 9 23:59:59 2022 GMT
Here’s how to upgrade to OpenSSL 1.1 on Redhat/Centos.
# check openssl version yum info openssl # download and install cd /usr/local/src wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz tar -zxf openssl-1.0.2-latest.tar.gz # compile cd openssl-1.0.2a ./config make make test make install # update softlink mv /usr/bin/openssl /root/ ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl # verify new version openssl version |
# check openssl version yum info openssl # download and install cd /usr/local/src wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz tar -zxf openssl-1.0.2-latest.tar.gz # compile cd openssl-1.0.2a ./config make make test make install # update softlink mv /usr/bin/openssl /root/ ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl # verify new version openssl version
Here’s how to convert SSL certificate from PFX to PEM format.
#!/bin/bash echo "This script converts SSL certificates from PFX to PEM." read -p 'Enter PFX Certificate Name : ' cert_pfx read -p 'Enter the Import Passphrase : ' import_passphrase openssl pkcs12 -in $cert_pfx -nocerts -out cert-key.pem -passin pass:$import_passphrase -passout pass:$import_passphrase openssl pkcs12 -in $cert_pfx -clcerts -nokeys -out cert-body.pem -passin pass:$import_passphrase -passout pass:$import_passphrase openssl pkcs12 -in $cert_pfx -nodes -nokeys -out cert-chain.pem -passin pass:$import_passphrase -passout pass:$import_passphrase sleep 3 openssl rsa -in key.pem -out cert-private.key -passin pass:$import_passphrase -passout pass:$import_passphrase |
#!/bin/bash echo "This script converts SSL certificates from PFX to PEM." read -p 'Enter PFX Certificate Name : ' cert_pfx read -p 'Enter the Import Passphrase : ' import_passphrase openssl pkcs12 -in $cert_pfx -nocerts -out cert-key.pem -passin pass:$import_passphrase -passout pass:$import_passphrase openssl pkcs12 -in $cert_pfx -clcerts -nokeys -out cert-body.pem -passin pass:$import_passphrase -passout pass:$import_passphrase openssl pkcs12 -in $cert_pfx -nodes -nokeys -out cert-chain.pem -passin pass:$import_passphrase -passout pass:$import_passphrase sleep 3 openssl rsa -in key.pem -out cert-private.key -passin pass:$import_passphrase -passout pass:$import_passphrase
This was covered in an earlier post, but this script prompts you for the passphrase.
Here’s the expected output.
It’s not always clear how to find out when your SSL certificate is expiring. Openssl should be able to tell you.
$ openssl x509 -enddate -noout -in certificate.crt |
$ openssl x509 -enddate -noout -in certificate.crt