SSL certificates underpin trust for HTTPS endpoints, APIs, and browser sessions by proving server identity. Each certificate carries a fixed validity window, and once the not-after date passes, most clients refuse the connection entirely. Regular checks on certificate expiration reduce the risk of sudden outages and maintain uninterrupted secure access.
During the TLS handshake, the server presents a certificate chain containing fields such as subject, issuer, and the not-after timestamp. When the underlying OpenSSL library is available, cURL can expose this information using verbose output while performing an HTTPS request. Filtering that verbose stream allows quick extraction of the expiry date for manual inspection or automation.
Examples assume a Linux environment with GNU tools such as awk and date and outbound access to the HTTPS endpoint. Diagnostic commands use --insecure so that expired or untrusted certificates still complete the handshake and reveal their metadata. That option bypasses normal verification and must remain constrained to monitoring and troubleshooting, because disabling validation increases exposure to man-in-the-middle attacks.
Steps to check SSL certificate expiration using cURL:
- Open a shell on a host that can reach the target HTTPS service over the network.
- Retrieve the certificate expiration timestamp from the HTTPS endpoint by running a verbose HEAD request piped through grep.
$ curl --verbose --head --insecure "https://example.com" 2>&1 | grep 'expire date' * expire date: Apr 15 23:59:59 2024 GMT
The expire date line originates from the server certificate not-after value reported by OpenSSL during the TLS handshake.
The --insecure option disables certificate verification and is suitable only for diagnostics, because it allows expired or untrusted certificates to be accepted for the connection.
- Print only the raw expiration timestamp for reuse in other commands or monitoring tools.
$ curl --verbose --head --insecure "https://example.com" 2>&1 | awk -F'expire date: ' '/expire date/ {print $2; exit}' Apr 15 23:59:59 2024 GMTReturning only the timestamp simplifies conversion to epoch seconds and comparison with the current time using date.
- Create a helper script named check_ssl_expiry.sh that checks several hostnames and computes remaining days before expiration.
#!/usr/bin/env bash sites=("example.com" "another.example") for site in "${sites[@]}"; do ts=$(curl --verbose --head --silent --insecure "https://$site" 2>&1 | awk -F'expire date: ' '/expire date/ {print $2; exit}') if [ -z "$ts" ]; then echo "$site: unable to determine certificate expiry" >&2 continue fi expiry_epoch=$(date -d "$ts" +%s 2>/dev/null || echo "") if [ -z "$expiry_epoch" ]; then echo "$site: unable to parse expiry timestamp: $ts" >&2 continue fi now_epoch=$(date +%s) seconds_left=$(( expiry_epoch - now_epoch )) days_left=$(( seconds_left / 86400 )) echo "$site expires on: $ts ($days_left days left)" done
Storing this script and scheduling it with cron or another task scheduler produces periodic reports and enables early alerts when the days-left value drops below a chosen threshold.
- Execute the script and verify that each hostname reports a sensible expiration date and non-negative number of days left.
$ bash check_ssl_expiry.sh example.com expires on: Apr 15 23:59:59 2024 GMT (120 days left) another.example expires on: Mar 01 11:59:59 2024 GMT (75 days left)
Successful output shows each hostname followed by a readable expiration timestamp and a days-left counter that is greater than or equal to zero.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.