Check SSL certificate expiration and other information

openssl is the handest tool to check SSL information and this command is available on most Linux systems. Getting the information is a simple one-line command, invoking openssl twice — one time to connect and the other to parse the certificate and show you the data:

openssl s_client -connect www.google.com:443 | openssl x509 -text

You get the following output when you run the above command

depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2f:df:bc:f6:ae:91:52:6d:0f:9a:a3:df:40:34:3e:9a
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA
        Validity
            Not Before: Dec 18 00:00:00 2009 GMT
            Not After : Dec 18 23:59:59 2011 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:e8:f9:86:0f:90:fa:86:d7:df:bd:72:26:b6:d7:
                    44:02:83:78:73:d9:02:28:ef:88:45:39:fb:10:e8:
                    7c:ae:a9:38:d5:75:c6:38:eb:0a:15:07:9b:83:e8:
                    cd:82:d5:e3:f7:15:68:45:a1:0b:19:85:bc:e2:ef:
                    84:e7:dd:f2:d7:b8:98:c2:a1:bb:b5:c1:51:df:d4:
                    83:02:a7:3d:06:42:5b:e1:22:c3:de:6b:85:5f:1c:
                    d6:da:4e:8b:d3:9b:ee:b9:67:22:2a:1d:11:ef:79:
                    a4:b3:37:8a:f4:fe:18:fd:bc:f9:46:23:50:97:f3:
                    ac:fc:24:46:2b:5c:3b:b7:45
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.thawte.com/ThawteSGCCA.crl

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.thawte.com
                CA Issuers - URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt

    Signature Algorithm: sha1WithRSAEncryption
        9f:43:cf:5b:c4:50:29:b1:bf:e2:b0:9a:ff:6a:21:1d:2d:12:
        c3:2c:4e:5a:f9:12:e2:ce:b9:82:52:2d:e7:1d:7e:1a:76:96:
        90:79:d1:24:52:38:79:bb:63:8d:80:97:7c:23:20:0f:91:4d:
        16:b9:ea:ee:f4:6d:89:ca:c6:bd:cc:24:68:d6:43:5b:ce:2a:
        58:bf:3c:18:e0:e0:3c:62:cf:96:02:2d:28:47:50:34:e1:27:
        ba:cf:99:d1:50:ff:29:25:c0:36:36:15:33:52:70:be:31:8f:
        9f:e8:7f:e7:11:0c:8d:bf:84:a0:42:1a:80:89:b0:31:58:41:
        07:5f
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x
MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN
gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L
05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM
BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5
u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6
z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw==
-----END CERTIFICATE-----

If you are looking for the expiry date of the SSL you need to look for the “Validity” section:

Validity
            Not Before: Dec 18 00:00:00 2009 GMT
            Not After : Dec 18 23:59:59 2011 GMT

Note

If you want to check the following services, the TCP ports are:
pop3s 995
imaps 993
smtps 465
ldaps 636

So, for example, to check an imap server specify the “connect” above as imap.gmail.com:993

Check SSL certificate expiration and other information

openssl s_client -connect www.google.com:443 | openssl x509 -text

Note

Related Posts

File download in i.e. over https

Upgrading PHP on a windows plesk server

How to configure Microsoft IIS to not accept SSLv2 connections

PCI Scan – Plesk PHP easter egg issue

SSL certs for POP3, IMAP and SMTP on Plesk

Guide to CSR’s

PCI Compliance Expect Header Cross-Site Scripting Vulnerability (8443, plesk)

VeriSign SSL Certificate Installation Checker

Firefox 3.5 I’m not getting add exception option on SSL’s

PCI Compliance for Plesk (linux)

Search

Links

Tag Cloud

Categories

Password Generator

Popular Posts

My Sites

Friends Sites