Skip to content

Check certificate (OpenSSL)

Inspect certificate chain and TLS handshake for a host:port:

Terminal window
openssl s_client -connect ${{ HOST }}:${{ PORT }} -showcerts
  • -servername name — SNI (e.g. for virtual hosts): openssl s_client -connect ${{ HOST }}:${{ PORT }} -servername ${{ HOST }} -showcerts
  • -starttls proto — for SMTP/IMAP etc.: openssl s_client -connect ${{ HOST }}:587 -starttls smtp -showcerts
  • Pipe to get only cert(s): openssl s_client -connect ${{ HOST }}:${{ PORT }} -showcerts </dev/null 2>/dev/null | openssl x509 -noout -dates -subject -issuer

Is the cert expiring within N days? -checkend exits 0 if it’s still valid beyond that window, non-zero otherwise — perfect for a cron/monitoring probe:

Terminal window
openssl s_client -connect ${{ HOST }}:${{ PORT }} -servername ${{ HOST }} </dev/null 2>/dev/null \
| openssl x509 -noout -checkend $((30 * 86400)) \
&& echo OK || echo "expires within 30 days"