Keeping track of your SSL/TLS certificates is vital for website security and user trust. An expired or misconfigured certificate can lead to browser warnings, blocked access, and lost visitors. Fortunately, OpenSSL, a versatile command-line toolkit, makes it easy to check certificate validity, expiration dates, and key details without relying on third-party tools.
In this guide, we’ll walk you through the essentials of verifying SSL certificates with OpenSSL.
Why Use OpenSSL for SSL Certificate Checks?
- No browser dependency – Test certificates directly from your server.
- Fast troubleshooting – Quickly confirm expiry dates or chain issues.
- Supports multiple protocols – From HTTPS to mail servers (SMTP, IMAP, POP3).
- Lightweight – Runs in almost every Linux/Unix system by default.
Whether you’re a sysadmin, developer, or site owner, these checks help prevent downtime and maintain security.
Prerequisites
Before you begin, make sure you have:
- Terminal access (SSH for remote servers).
- OpenSSL is installed (most Linux and macOS systems include it by default).
- A domain name or server IP address.
On Windows, you can use OpenSSL via WSL (Windows Subsystem for Linux) or third-party builds.
Step 1: Check SSL Certificate Expiry Date
The most common check is ensuring your certificate hasn’t expired.
Run:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
Sample output:
notBefore=Mar 10 00:00:00 2023 GMT
notAfter=Mar 10 23:59:59 2024 GMT
Here:
notBefore → when the certificate became valid.
notAfter → the expiration date.
Step 2: View SSL Certificate Issuer and Subject
To see who issued the certificate and which domain it covers:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject
Output example:
issuer= C=US, O=Let's Encrypt, CN=R3
subject= CN=example.com
This confirms both the certificate’s authority and its common name.
Step 3: Verify SAN (Subject Alternative Names)
Most modern certificates secure multiple domains/subdomains. To list them:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -ext subjectAltName
You’ll see entries like:
DNS:example.com, DNS:www.example.com, DNS:blog.example.com
This helps ensure all required domains are covered.
Step 4: Test Specific TLS Versions
Want to confirm your server supports a certain TLS version? Use flags:
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
If the handshake succeeds, the version is supported. If not, you’ll see connection errors.
Step 5: Troubleshoot Mail Server Certificates (Optional)
You can also test mail servers (useful for SMTP, IMAP, or POP3):
SMTP with STARTTLS (port 587):
openssl s_client -starttls smtp -connect mail.example.com:587
IMAP with STARTTLS (port 143):
openssl s_client -starttls imap -connect mail.example.com:143
This verifies that your mail server properly upgrades to a secure connection.
CONCLUSION
OpenSSL may look intimidating at first, but it’s one of the simplest and most reliable ways to validate SSL certificates from the command line. By running just a few commands, you can confirm expiry dates, supported TLS versions, and SAN coverage,helping you stay ahead of potential downtime or browser security warnings.
If you need any assistance with SSL validation, configuration, or server security, you can hire our expert server administrators. You’re also welcome to reach out to our support team anytime; we’re always here to help.
