SSL 常用技巧

Check TLS/SSL certificate expiration date

from a website)

## note echo added ## 
echo | openssl s_client -servername $DOM -connect $DOM:$PORT \
| openssl x509 -noout -dates


depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN =
verify return:1
notBefore=Jun  5 00:00:00 2020 GMT
notAfter=Jun  5 12:00:00 2021 GMT
  • s_client : The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.
  • -servername $DOM : Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value.
  • -connect $DOM:$PORT : This specifies the host ($DOM) and optional port ($PORT) to connect to.
  • x509 : Run certificate display and signing utility.
  • -noout : Prevents output of the encoded version of the certificate.
  • -dates : Prints out the start and expiry dates of a TLS or SSL certificate.

from a PEM encoded certificate file)

openssl x509 -enddate -noout -in /etc/nginx/ssl/


notAfter=Dec 29 23:48:42 2020 GMT

Shell script to alert sysadmin

# Purpose: Alert sysadmin/developer about the TLS/SSL cert expiry date in advance
# Author: Vivek Gite {} under GPL v2.x+
# -------------------------------------------------------------------------------
# 7 days in seconds 
# Email settings 
_sub="$PEM will expire within $DAYS (7 days)."
_from="[email protected]"
_to="[email protected]"
$_openssl x509 -enddate -noout -in "$PEM"  -checkend "$DAYS" | grep -q 'Certificate will expire'
# Send email and push message to my mobile
if [ $? -eq 0 ]
	echo "${_sub}"
        mail -s "$_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($PEM) will expire soon on $HOSTNAME [$(date)]"
        # See #
        source ~/bin/
        push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null