If you need to check SSL certificate with OpenSSL, the fastest path is to connect to the live HTTPS server with openssl s_client, then pipe the returned certificate into openssl x509 so you can read the expiration date, issuer, subject, and hostname-related fields.
For a quick browser-free check, you can also use the free SSL certificate checker and then save important domains for daily monitoring.
PulseSSL maintains this guide as a practical SSL operations reference. Command behavior is cross-checked against the official OpenSSL manual pages for openssl s_client and openssl x509.
The fastest OpenSSL command for a live website
Use this command when you want to check the certificate currently served by a public HTTPS hostname:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer -subject
Replace example.com with the hostname you want to check.
This command does three things:
openssl s_clientopens a TLS connection to the live server.-servername example.comsends SNI, which matters when one IP address hosts multiple HTTPS sites.openssl x509 -noout -dates -issuer -subjectprints the certificate fields most teams need first.
Typical output looks like this:
notBefore=Jun 1 00:00:00 2026 GMT
notAfter=Aug 30 23:59:59 2026 GMT
issuer=C = US, O = Let's Encrypt, CN = R11
subject=CN = example.com
notAfter is the SSL certificate expiration date. If you only need that value, use the shorter command in the next section.
When to use command-line checks vs an online SSL checker
Command-line checks are useful when you are already in a terminal, debugging a server, or writing an operational runbook. An online checker is faster when you just need to verify what a public website is serving right now.
| Task | Use terminal commands when | Use PulseSSL when |
|---|---|---|
| Check a live certificate | You are debugging from a server or local terminal | You want a quick result without installing anything |
| Check expiration date | You need raw notAfter output | You want expiration date, days remaining, issuer, and hostname coverage together |
| Verify issuer or subject | You are comparing expected certificate metadata | You want a readable snapshot for a production or client domain |
| Keep checking later | You are building your own script | You want daily SSL certificate expiration monitoring and email reminders |
Use the free SSL certificate checker for a one-time result, or use PulseSSL for SSL certificate expiration monitoring when the domain needs ongoing visibility.
Check a live website's SSL certificate with OpenSSL
For HTTPS websites, the standard port is 443. The basic live-server command is:
echo | openssl s_client -servername example.com -connect example.com:443
That prints a lot of handshake and certificate data. To make the output easier to read, pipe the certificate into openssl x509:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -text
Use this when you need full certificate details such as serial number, signature algorithm, public key information, validity dates, issuer, subject, and extensions.
The -servername flag is important. Without it, some servers may return a default certificate for the IP address rather than the certificate for the hostname you intended to check.
Check SSL certificate expiration date with OpenSSL
To check SSL certificate expiration date with OpenSSL, print only the notAfter field:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate
Example output:
notAfter=Aug 30 23:59:59 2026 GMT
To show both the start date and expiration date:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
The official x509 manual documents -enddate as the option that prints the certificate expiry date, and -dates as the option that prints both start and expiry dates.
If you want a readable online result instead, use the SSL certificate expiration date checker. It shows expiration date and days remaining without parsing terminal output.
Read issuer, subject, and hostname details
Expiration is not the only field that matters. A certificate can be unexpired and still be wrong for the hostname users are visiting.
To print issuer and subject:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject
To inspect Subject Alternative Name entries:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -ext subjectAltName
Review these fields:
issuer: the certificate authority that issued the certificate.subject: the primary subject name on the certificate.subjectAltName: the DNS names the certificate covers.notAfter: the expiration date.
If the hostname is missing from subjectAltName, browsers and API clients may reject the connection even if the certificate has not expired.
Check a local certificate file
If you have a certificate file on disk, use openssl x509 directly:
openssl x509 -in certificate.crt -text -noout
For a shorter output:
openssl x509 -in certificate.crt -noout -enddate -issuer -subject
This is useful when you are reviewing a certificate before deployment. It does not prove that the public website is currently serving that certificate. To confirm the live certificate, use openssl s_client against the hostname and port.
Verify the certificate chain and common errors
The CLI can also help diagnose chain and verification problems. Start with:
echo | openssl s_client -servername example.com -connect example.com:443 -showcerts
The -showcerts option displays the certificates sent by the server. Treat it as diagnostic output, not a complete guarantee that every client will trust the chain.
| Output or symptom | What it usually means |
|---|---|
Verify return code: 0 (ok) | OpenSSL did not detect a verification problem with the presented chain. |
unable to get local issuer certificate | The client may be missing the intermediate or trusted issuer needed to build the chain. |
self-signed certificate | The server is presenting a self-signed certificate or a chain ending in an untrusted root. |
| Hostname does not match SAN | The certificate is not valid for the hostname being checked. |
no peer certificate available | The server did not present a certificate during the TLS handshake. |
| Command appears to hang | The server may be waiting for input or a clean close; send empty input for simple checks and suppress noisy stderr when needed. |
For production monitoring, do not rely on a manual terminal check once and forget it. Save important domains for daily checks and reminders.
Common mistakes when checking SSL certificates with OpenSSL
-
Forgetting
-servernameMany production hosts use SNI. Without
-servername, OpenSSL may return a different certificate than the one browsers receive for the hostname. -
Checking a local file instead of the live server
openssl x509 -in certificate.crtchecks a file. It does not confirm whathttps://example.comis actually serving. -
Reading only the expiration date
notAftermatters, but issuer, hostname coverage, and chain errors can also break users. -
Ignoring intermediate certificates
A leaf certificate can look valid while the chain is incomplete for some clients.
-
Turning a one-off command into a fragile script
Scripts need error handling, domain lists, notification delivery, and repeated scheduling. For important domains, daily monitoring is usually less brittle.
Keep checking automatically after the OpenSSL test
A terminal check is excellent for ad-hoc inspection. It is not a monitoring workflow by itself.
After you check a certificate with OpenSSL, ask whether the domain matters to production, checkout, APIs, auth, docs, or a client site. If it does, add it to PulseSSL so the certificate is checked every day and you get email reminders before expiration.
Start with the free SSL certificate checker, then monitor up to 2 domains for free.
FAQ
How do I check SSL certificate with OpenSSL?
Use openssl s_client -connect example.com:443 -servername example.com to connect to the live HTTPS server, then pipe the certificate into openssl x509 to print readable fields. For example: echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer -subject.
How do I check SSL certificate expiration date with OpenSSL?
Use openssl x509 -noout -enddate after retrieving the certificate. For a live website, run: echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate. The notAfter value is the expiration date.
Why should I use -servername with openssl s_client?
-servername sends the hostname through SNI during the TLS handshake. Many servers host multiple HTTPS sites on the same IP address, so SNI helps the server return the certificate for the hostname you actually want to inspect.
How do I check which certificate a website is serving?
Use openssl s_client against the hostname and port, then pipe the certificate into openssl x509 -noout -text for full details. Check the issuer, subject, validity dates, and Subject Alternative Name entries to understand what certificate is live.
Is OpenSSL enough for SSL certificate monitoring?
OpenSSL is enough for a manual check or debugging session. It is not enough for ongoing monitoring unless you build scheduling, storage, retries, alerting, and error handling around it. PulseSSL handles daily checks and email reminders for domains you need to keep visible.