How to check SSL certificate expiration with cURL

An HTTPS service can keep accepting requests right up to the moment its certificate expires, so checking the presented expiry date is a quick way to catch renewals before clients start failing. The useful value is the notAfter field on the certificate returned for the exact URL host.

Current cURL builds can expose the server certificate chain through {certs} in --write-out. Piping that PEM output into OpenSSL reads the leaf certificate directly, so the same command can print the subject and expiration date without relying on verbose handshake text.

The {certs} variable requires curl 7.88.0 or newer and is documented for the OpenSSL, GnuTLS, Schannel, and Secure Transport backends. Keep the check strict for normal monitoring so hostname, trust, and expiry failures still break the request. Use --insecure only as a short diagnostic fallback when an expired or otherwise broken certificate prevents OpenSSL from reading the PEM, and keep it out of recurring scripts.

Related: How to capture response metrics with cURL write-out
Related: How to debug TLS handshake with cURL
Related: How to skip SSL certificate verification in cURL

Steps to check SSL certificate expiration with cURL:

  1. Print the presented certificate subject and expiration date for the exact HTTPS host name. 
    $ curl --silent --show-error --output /dev/null \
  --write-out '%{certs}' https://example.com \
  | openssl x509 -noout -subject -enddate
subject=CN=example.com
notAfter=Jul  1 21:24:46 2026 GMT

    The first certificate in {certs} is the leaf certificate that hostname validation uses for the requested host. If cURL reports unknown –write-out variable: 'certs', upgrade to curl 7.88.0 or newer before using this workflow.

  2. Test whether the same certificate stays valid for at least 30 more days. 
    $ curl --silent --show-error --output /dev/null \
  --write-out '%{certs}' https://example.com \
  | openssl x509 -noout -checkend 2592000
Certificate will not expire

    -checkend 2592000 tests the next 30 days. A zero exit status means the certificate stays valid for that whole window, which makes the command suitable for monitoring and scheduled checks.

  3. Read the expiry date on an expired or otherwise broken endpoint with --insecure only when the strict check fails before OpenSSL can parse the certificate. 
    $ curl --silent --show-error --insecure --output /dev/null \
  --write-out '%{certs}' https://expired.badssl.com \
  | openssl x509 -noout -subject -enddate
subject=OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.badssl.com
notAfter=Apr 12 23:59:59 2015 GMT

    --insecure disables hostname and certificate validation. Use it only long enough to inspect the presented certificate, then return to the strict form or fix the trust problem.