How to check SSL certificate expiration - Rocketeers app [ Rocketeers ](/) [Login](https://rocketeersapp.com/login) On this page Knowledge --------- How to check SSL certificate expiration ======================================= ### [\#Security](https://rocketeersapp.com/knowledge/security) Here is how to check when an SSL certificate expires, both for a live website and for a certificate file on disk, using openssl from the command line. Published by [Mark van Eijk](https://rocketeersapp.com/author/mark-van-eijk) on June 23, 2026 · 1 minute read 1. [Check a live website](#content-check-a-live-website) 2. [Check a certificate file on disk](#content-check-a-certificate-file-on-disk) 3. [Check whether it expires within N days](#content-check-whether-it-expires-within-n-days) An expired certificate takes a site down hard — every visitor sees [your connection is not private](/your-connection-is-not-private). Checking the expiry date takes one command. [\#](#content-check-a-live-website "Permalink")Check a live website ------------------------------------------------------------------- Connect to the site and read the validity dates straight from the certificate it serves: ``` echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \ | openssl x509 -noout -dates ``` You'll get the start and end of the validity window: ``` notBefore=Mar 1 00:00:00 2026 GMT notAfter=May 30 23:59:59 2026 GMT ``` To see only the expiry date, swap `-dates` for `-enddate`: ``` echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \ | openssl x509 -noout -enddate ``` [\#](#content-check-a-certificate-file-on-disk "Permalink")Check a certificate file on disk ------------------------------------------------------------------------------------------- If you have the certificate as a local file: ``` openssl x509 -in certificate.pem -noout -enddate ``` This works on any PEM or CRT file. For other formats, see [converting certificate formats](/convert-ssl-certificate-formats) first. [\#](#content-check-whether-it-expires-within-n-days "Permalink")Check whether it expires within N days ------------------------------------------------------------------------------------------------------- The `-checkend` flag is built for scripts and monitoring. It takes a number of seconds and exits non-zero if the certificate expires within that window. This checks for the next 30 days (30 × 86400 = 2592000 seconds): ``` openssl x509 -in certificate.pem -noout -checkend 2592000 ``` ``` echo $? # 0 = still valid, 1 = expires within 30 days ``` Wire that exit code into a cron job or a monitoring check and you'll get warned before a certificate ever lapses. If your certificate is valid but the connection still fails, the cause is often a [missing certificate chain](/what-is-an-ssl-certificate-chain) rather than the expiry date. ### Subscribe to our newsletter Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now! Fill in your email address to receive updates Subscribe #### More in [\#Security](https://rocketeersapp.com/knowledge/security) - [How to extract the certificate from a PFX file](https://rocketeersapp.com/knowledge/extract-certificate-from-pfx-file) - [How to extract private key from PFX file](https://rocketeersapp.com/knowledge/extract-private-key-from-pfx-file) - [How to optimize web application security](https://rocketeersapp.com/knowledge/optimize-web-application-security) - [How to get A+ grade SSL using Cloudflare](https://rocketeersapp.com/knowledge/a-plus-grade-ssl-using-cloudflare) - [How to setup OpenClaw securely on your own VPS](https://rocketeersapp.com/knowledge/setup-openclaw-vps-securely) - [How to generate a CSR with OpenSSL](https://rocketeersapp.com/knowledge/generate-csr-with-openssl) [View all 15 articles →](https://rocketeersapp.com/knowledge/security)