Check TLS certificate dates on the command line

I’ve recently started rolling out encrypted connections for the services I run for myself and other people, such as IMAP, SMTP and HTTP. I’m using LetsEncrypt for free automated certificates which work in all major browsers, which works great — they even send you reminders when your certificates are due to expire. Sometimes though I want to check the expiry date of an arbitrary certificate on a given host and port.

Assuming you have OpenSSL installed, this is easy:

openssl s_client -connect host:port | openssl x509 -noout -dates

You’ll see the start and expiry dates in the output like so:

notBefore=Mar 30 16:51:00 2016 GMT
notAfter=Jun 28 16:51:00 2016 GMT

If you’re connecting to a service which uses the STARTTLS extension (or ‘opportunistic TLS’), such as SMTP, you’ll need to add the following arguments to the first openssl command:

-starttls service

So to check an SMTP service at, you would run:

openssl s_client -connect -starttls smtp | openssl x509 -noout -dates



No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.