I’ve recently started rolling out encrypted connections for the services I run for myself and other people, such as IMAP, SMTP and HTTP. I’m using LetsEncrypt for free automated certificates which work in all major browsers, which works great — they even send you reminders when your certificates are due to expire. Sometimes though I want to check the expiry date of an arbitrary certificate on a given host and port.
Assuming you have OpenSSL installed, this is easy:
openssl s_client -connect host:port | openssl x509 -noout -dates
You’ll see the start and expiry dates in the output like so:
notBefore=Mar 30 16:51:00 2016 GMT notAfter=Jun 28 16:51:00 2016 GMT
If you’re connecting to a service which uses the STARTTLS extension (or ‘opportunistic TLS’), such as SMTP, you’ll need to add the following arguments to the first openssl command:
-starttls service
So to check an SMTP service at smtp.example.org, you would run:
openssl s_client -connect smtp.example.org:25 -starttls smtp | openssl x509 -noout -dates