How to check certificate expiry using OpenSSL

Certificate renewals and deployment reviews can fail when a file is still present but its validity window is too short for the next rollout. OpenSSL can read the notBefore and notAfter fields from a certificate file and can return a shell status when the certificate expires inside a chosen renewal window.

openssl x509 reads an X.509 certificate without modifying it. The -dates option prints both validity timestamps, while -checkend compares the certificate's expiry time with a threshold expressed in seconds from the current system time.

Use server.crt as the placeholder path in the commands and replace it with the certificate file that will actually be deployed. The 30-day renewal window is 2592000 seconds; a certificate chain, private key, or CSR is not the same input for this check.

1. Open a terminal on the system that has the certificate file.
2. Print the certificate validity dates.

   $ openssl x509 -noout -dates -in server.crt
   notBefore=Jun  5 20:25:15 2026 GMT
   notAfter=Sep  3 20:25:15 2026 GMT

   notAfter is the expiry timestamp. notBefore is the first time the certificate is valid.

3. Check whether the certificate remains valid for at least 30 days.

   $ openssl x509 -checkend 2592000 -noout -in server.crt
   Certificate will not expire

   2592000 seconds equals 30 days. The command exits with status 0 when the certificate does not expire inside the threshold.

4. Check a longer policy window when the certificate must outlive a future rollout.

   $ openssl x509 -checkend 15552000 -noout -in server.crt
   Certificate will expire

   15552000 seconds equals 180 days. This output means the certificate's notAfter time falls inside that window, and the command exits with a nonzero status.

5. Confirm the status immediately when a script needs the threshold result.

   $ echo $?
   1

6. Repeat the -checkend command with the threshold required by the renewal policy before approving the certificate for deployment.