Back to blog
PulseSSLPulseSSL
SSL operations guide

Check SSL Certificate with OpenSSL

Use OpenSSL commands to check SSL certificate details, expiration date, issuer, hostname coverage, and live HTTPS status. Try the free checker.

OpenSSL commands
Expiration date
Live certificate
PulseSSL
guide

Tracked domains

Certificate status

Check All Certificates
example.com
StatusDomainExpires
74 daysexample.comAug 30
12 daysapi.example.comJul 14
expiredold.example.comRenew

OpenSSL command

echo | openssl s_client -servername example.com
openssl x509 -noout -dates -issuer

In this guide

OpenSSL checks

Check a live website certificate

Find the SSL expiration date

Read issuer, subject, and SAN

Move from manual checks to monitoring

If you need to check SSL certificate with OpenSSL, the fastest path is to connect to the live HTTPS server with openssl s_client, then pipe the returned certificate into openssl x509 so you can read the expiration date, issuer, subject, and hostname-related fields.

For a quick browser-free check, you can also use the free SSL certificate checker and then save important domains for daily monitoring.

PulseSSL maintains this guide as a practical SSL operations reference. Command behavior is cross-checked against the official OpenSSL manual pages for openssl s_client and openssl x509.

The fastest OpenSSL command for a live website

Use this command when you want to check the certificate currently served by a public HTTPS hostname:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer -subject

Replace example.com with the hostname you want to check.

This command does three things:

  • openssl s_client opens a TLS connection to the live server.
  • -servername example.com sends SNI, which matters when one IP address hosts multiple HTTPS sites.
  • openssl x509 -noout -dates -issuer -subject prints the certificate fields most teams need first.

Typical output looks like this:

notBefore=Jun  1 00:00:00 2026 GMT
notAfter=Aug 30 23:59:59 2026 GMT
issuer=C = US, O = Let's Encrypt, CN = R11
subject=CN = example.com

notAfter is the SSL certificate expiration date. If you only need that value, use the shorter command in the next section.

When to use command-line checks vs an online SSL checker

Command-line checks are useful when you are already in a terminal, debugging a server, or writing an operational runbook. An online checker is faster when you just need to verify what a public website is serving right now.

TaskUse terminal commands whenUse PulseSSL when
Check a live certificateYou are debugging from a server or local terminalYou want a quick result without installing anything
Check expiration dateYou need raw notAfter outputYou want expiration date, days remaining, issuer, and hostname coverage together
Verify issuer or subjectYou are comparing expected certificate metadataYou want a readable snapshot for a production or client domain
Keep checking laterYou are building your own scriptYou want daily SSL certificate expiration monitoring and email reminders

Use the free SSL certificate checker for a one-time result, or use PulseSSL for SSL certificate expiration monitoring when the domain needs ongoing visibility.

Check a live website's SSL certificate with OpenSSL

For HTTPS websites, the standard port is 443. The basic live-server command is:

echo | openssl s_client -servername example.com -connect example.com:443

That prints a lot of handshake and certificate data. To make the output easier to read, pipe the certificate into openssl x509:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -text

Use this when you need full certificate details such as serial number, signature algorithm, public key information, validity dates, issuer, subject, and extensions.

The -servername flag is important. Without it, some servers may return a default certificate for the IP address rather than the certificate for the hostname you intended to check.

Check SSL certificate expiration date with OpenSSL

To check SSL certificate expiration date with OpenSSL, print only the notAfter field:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate

Example output:

notAfter=Aug 30 23:59:59 2026 GMT

To show both the start date and expiration date:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

The official x509 manual documents -enddate as the option that prints the certificate expiry date, and -dates as the option that prints both start and expiry dates.

If you want a readable online result instead, use the SSL certificate expiration date checker. It shows expiration date and days remaining without parsing terminal output.

Read issuer, subject, and hostname details

Expiration is not the only field that matters. A certificate can be unexpired and still be wrong for the hostname users are visiting.

To print issuer and subject:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject

To inspect Subject Alternative Name entries:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -ext subjectAltName

Review these fields:

  • issuer: the certificate authority that issued the certificate.
  • subject: the primary subject name on the certificate.
  • subjectAltName: the DNS names the certificate covers.
  • notAfter: the expiration date.

If the hostname is missing from subjectAltName, browsers and API clients may reject the connection even if the certificate has not expired.

Check a local certificate file

If you have a certificate file on disk, use openssl x509 directly:

openssl x509 -in certificate.crt -text -noout

For a shorter output:

openssl x509 -in certificate.crt -noout -enddate -issuer -subject

This is useful when you are reviewing a certificate before deployment. It does not prove that the public website is currently serving that certificate. To confirm the live certificate, use openssl s_client against the hostname and port.

Verify the certificate chain and common errors

The CLI can also help diagnose chain and verification problems. Start with:

echo | openssl s_client -servername example.com -connect example.com:443 -showcerts

The -showcerts option displays the certificates sent by the server. Treat it as diagnostic output, not a complete guarantee that every client will trust the chain.

Output or symptomWhat it usually means
Verify return code: 0 (ok)OpenSSL did not detect a verification problem with the presented chain.
unable to get local issuer certificateThe client may be missing the intermediate or trusted issuer needed to build the chain.
self-signed certificateThe server is presenting a self-signed certificate or a chain ending in an untrusted root.
Hostname does not match SANThe certificate is not valid for the hostname being checked.
no peer certificate availableThe server did not present a certificate during the TLS handshake.
Command appears to hangThe server may be waiting for input or a clean close; send empty input for simple checks and suppress noisy stderr when needed.

For production monitoring, do not rely on a manual terminal check once and forget it. Save important domains for daily checks and reminders.

Common mistakes when checking SSL certificates with OpenSSL

  1. Forgetting -servername

    Many production hosts use SNI. Without -servername, OpenSSL may return a different certificate than the one browsers receive for the hostname.

  2. Checking a local file instead of the live server

    openssl x509 -in certificate.crt checks a file. It does not confirm what https://example.com is actually serving.

  3. Reading only the expiration date

    notAfter matters, but issuer, hostname coverage, and chain errors can also break users.

  4. Ignoring intermediate certificates

    A leaf certificate can look valid while the chain is incomplete for some clients.

  5. Turning a one-off command into a fragile script

    Scripts need error handling, domain lists, notification delivery, and repeated scheduling. For important domains, daily monitoring is usually less brittle.

Keep checking automatically after the OpenSSL test

A terminal check is excellent for ad-hoc inspection. It is not a monitoring workflow by itself.

After you check a certificate with OpenSSL, ask whether the domain matters to production, checkout, APIs, auth, docs, or a client site. If it does, add it to PulseSSL so the certificate is checked every day and you get email reminders before expiration.

Start with the free SSL certificate checker, then monitor up to 2 domains for free.

FAQ

How do I check SSL certificate with OpenSSL?

Use openssl s_client -connect example.com:443 -servername example.com to connect to the live HTTPS server, then pipe the certificate into openssl x509 to print readable fields. For example: echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer -subject.

How do I check SSL certificate expiration date with OpenSSL?

Use openssl x509 -noout -enddate after retrieving the certificate. For a live website, run: echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate. The notAfter value is the expiration date.

Why should I use -servername with openssl s_client?

-servername sends the hostname through SNI during the TLS handshake. Many servers host multiple HTTPS sites on the same IP address, so SNI helps the server return the certificate for the hostname you actually want to inspect.

How do I check which certificate a website is serving?

Use openssl s_client against the hostname and port, then pipe the certificate into openssl x509 -noout -text for full details. Check the issuer, subject, validity dates, and Subject Alternative Name entries to understand what certificate is live.

Is OpenSSL enough for SSL certificate monitoring?

OpenSSL is enough for a manual check or debugging session. It is not enough for ongoing monitoring unless you build scheduling, storage, retries, alerting, and error handling around it. PulseSSL handles daily checks and email reminders for domains you need to keep visible.

Need this checked daily?

Use OpenSSL for diagnosis, then save important domains for SSL certificate monitoring and renewal reminders.

Open the SSL checker

Optional analytics cookies

We use optional analytics cookies to understand traffic and improve PulseSSL. They are not required for account access or SSL monitoring. Read our Cookie Policy.