Verify Certificate With OpenSSL

Verify Certificate With OpenSSL

The short answer

To check the expiration date of a PEM certificate and thus verify that it is still valid, you can use the following [.inline-code]openssl x509[.inline-code] command:

 $ openssl x509 -in <cert>  -noout -enddate

Which will write to the standard output the [.inline-code]notAfter[.inline-code] field of the certificate.

For example:

 $ openssl x509 -in mycert.cer -noout -enddate
notAfter=Sep 19 23:59:59 2023 GMT

You can learn more about generating self-signed certificates with our article on how to generate a certificate signing request.

[#easily-recall-with-ai]Easily retrieve this command using Warp’s AI Command Search[#easily-recall-with-ai]

If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Search feature:

Entering [.inline-code]check certificate expiration openssl[.inline-code] in the AI Command Search will prompt an [.inline-code]openssl[.inline-code] command that can then quickly be inserted into your shell by doing [.inline-code]CMD+ENTER[.inline-code].

[#verify-a-file-certificate]Verifying a file certificate[#verify-a-file-certificate]

To decode and verify an entire certificate, you can use the following command:

 $ openssl x509 -in <cert>  -noout -text


  • [.inline-code]cert[.inline-code] is the path to the file certificate.
  • The [.inline-code]-noout[.inline-code] flag is used to prevent the output of the encoded version of the request.
  • The [.inline-code]-text[.inline-code] flag is used to output the certificate in text form, including its public key, signature algorithms, etc.

For example:

 $ openssl x509 -in /etc/nginx/ssl/cert.pem -noout -text

[#verify-a-website-certificate]Verifying a website’s certificate[#verify-a-website-certificate]

To verify the certificate of a website, you can use the following [.inline-code]openssl s_client[.inline-code] command:

 $ openssl s_client -connect <domain>:443

Which will retrieve the website's certificate identified by [.inline-code]domain[.inline-code] (e.g. [.inline-code]example.com[.inline-code]) and output its details in the terminal window, including its chain, issuer, and other information.

For example:

 $ openssl s_client -connect google.com:443

Once downloaded, you can close the client connection by pressing [.inline-code]CTRL[.inline-code] + [.inline-code]c[.inline-code].

Alternatively, you can use the pipe operator combined with the [.inline-code]openssl x509[.inline-code] command to directly decode and verify the certificate as follows:

 $ openssl s_client -connect <domain>:443 | openssl x509 -noout -text

Note that to save the certificate into a file on your local machine for future processing, you can use the output redirection operator as follows:

 $ openssl s_client -connect <domain>:443 > cert.pem

[#verify-a-certificate-and-key-match]Verifying a certificate and a private key match[#verify-a-certificate-and-key-match]

To verify that a certificate and a private key match, you can compare their modulus by first extracting the modulus of the certificate using the following command:

 $ openssl x509 -noout -modulus -in <certificate>> cert_mod

Then, by extracting the modulus of the private key using the following command:

 $ openssl rsa -noout -modulus -in <private_key> > pkey_mod

Finally, by comparing these two files using the [.inline-code]diff[.inline-code] command:

 $ diff cert_mod pkey_mod

Which will result in no output if the files are identical.

[#verify-a-certificate-chain]Verifying a certificate chain[#verify-a-certificate-chain]

A certificate chain is a series of certificates that are linked together to establish trust and verify the authenticity of a digital certificate.

To verify a certificate chain, you can use the [.inline-code]openssl verify[.inline-code] command as follows:

 $ openssl verify -untrusted <intermediary-certificate> <certificate>


  • The [.inline-code]-untrusted[.inline-code] flag is used to specify the file path of the intermediate certificate.