How to check TLS/SSL expiry using command line (OpenSSL)

If you're responsible for managing websites or servers, it's important to keep track of when your SSL/TLS certificates are going to expire. Failure to renew your certificate before it expires can lead to downtime, security issues, and other problems. Thankfully, it's easy to check the expiry date of your SSL/TLS certificate using the OpenSSL command-line tool.

If you are on Windows

If you use Windows 10 or 11, you need to install OpenSSL. You can download and install the binary from HERE

Once you have it installed, proceed with the next steps

Run OpenSSL to check expiry

Open a terminal or command prompt and run

echo | openssl s_client -servername -connect 2>/dev/null | openssl x509 -noout -subject -issuer -dates

Replace with your domain. Here is an example:

➜  ~ echo | openssl s_client -servername -connect 2>/dev/null | openssl x509 -noout -subject -issuer -dates

subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN =
issuer=C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
notBefore=Jun 27 00:00:00 2022 GMT
notAfter=Jun 26 23:59:59 2023 GMT

Here you can see the issuer, which is cloudflare and the expiry date (notAfter)

This command will connect to the server for the specified domain, retrieve the SSL/TLS certificate, and then display the certificate's subject (which includes the common name), issuer, and expiration date.