How To Check Ssl Certificate In Linux Command Line – Linux Command Line SSL Verification

by

Verifying your SSL certificate from the command line confirms your server’s encryption is active. If you’re wondering how to check ssl certificate in linux command line, you’ve come to the right place. This guide walks you through the most effective methods, from simple OpenSSL commands to detailed certificate inspections. You’ll learn to verify expiration dates, certificate chains, and common name matches without leaving your terminal.

SSL certificates are the backbone of secure web communications. When they expire or are misconfigured, your site can become vulnerable or inaccessible. Checking them manually from the command line gives you full control and immediate results. No fancy tools needed—just your Linux terminal and a few commands.

Why Check SSL Certificates From The Command Line?

You might wonder why you’d bother with command line checks when browser tools exist. The answer is simple: automation and flexibility. Scripts can check dozens of certificates at once, and you can inspect certificates on servers that aren’t even web servers—like mail servers or API endpoints.

Command line checks also work when you don’t have a GUI. On headless servers or SSH-only environments, the terminal is your only option. Plus, you get raw certificate data that browsers often hide or simplify.

Common Scenarios For Command Line Certificate Checks

  • Monitoring certificate expiration dates across multiple domains
  • Verifying certificate chains after installation
  • Debugging SSL/TLS handshake failures
  • Checking certificates on internal servers without public DNS
  • Automating certificate renewal notifications

How To Check Ssl Certificate In Linux Command Line

Now let’s get to the core of this article. The most reliable way to check SSL certificates from the Linux command line is using OpenSSL. This tool comes pre-installed on almost every Linux distribution. If it’s missing, install it with your package manager—usually sudo apt install openssl on Debian/Ubuntu or sudo yum install openssl on CentOS/RHEL.

Method 1: Using OpenSSL To Connect And Display Certificate

This is the gold standard method. You connect to a server and retrieve its certificate in real-time. Here’s the basic syntax:

openssl s_client -connect example.com:443 -showcerts

Replace example.com with your actual domain. The -showcerts flag displays the entire certificate chain. You’ll see the server certificate followed by any intermediate certificates.

The output is verbose. Look for these key sections:

  • Certificate chain – Shows each certificate in the chain
  • Server certificate – The actual certificate presented by the server
  • subject – The domain name the certificate is issued to
  • issuer – The Certificate Authority that signed it
  • Not Before / Not After – Validity dates

Extracting Just The Certificate Details

To get a cleaner output, pipe the result to OpenSSL’s x509 command:

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text

This strips the connection noise and shows only the certificate’s parsed content. You’ll see everything from the signature algorithm to the public key details.

Method 2: Checking Certificate Expiration Date

Expiration is the most common concern. Here’s a quick command to extract just the dates:

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Output looks like:

notBefore=Jan 15 00:00:00 2024 GMT
notAfter=Jan 15 23:59:59 2025 GMT

You can also check if the certificate is currently valid:

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -checkend 0

Returns Certificate will not expire if valid, or shows the expiration time if it’s expired.

Method 3: Verifying The Certificate Chain

A complete certificate chain is crucial for browser trust. Use this command to verify:

openssl s_client -connect example.com:443 -showcerts -verify 5

The -verify 5 flag tells OpenSSL to verify up to 5 levels deep. Look for the line:

Verify return code: 0 (ok)

Any other return code indicates a problem. Common errors include:

  • 20 (unable to get local issuer certificate) – Missing intermediate certificate
  • 21 (unable to verify the first certificate) – Self-signed or untrusted root
  • 10 (certificate has expired) – Self-explanatory

Method 4: Checking A Certificate File Locally

If you have the certificate file saved (like a .crt or .pem file), you can inspect it without connecting to a server:

openssl x509 -in /path/to/certificate.crt -text -noout

This is useful for verifying certificates before deployment or checking backups.

Using Curl For Quick Certificate Checks

Curl is another handy tool. While it’s primarily for transferring data, it can show certificate information during HTTPS connections:

curl -vI https://example.com 2>&1 | grep -i "certificate\|SSL\|TLS"

The -v flag enables verbose output, and -I fetches only headers. You’ll see lines like:

* SSL certificate verify ok.
* subject: CN=example.com
* issuer: C=US; O=Let's Encrypt; CN=R3

Curl’s output is less detailed than OpenSSL but faster for quick checks. It also automatically verifies the certificate chain against the system’s trust store.

Checking Certificate With Curl And Showing Full Details

For more detail, use curl with the --cert-status flag:

curl --cert-status -v https://example.com 2>&1 | less

Scroll through the output to find the certificate information. Curl also supports --pinnedpubkey for checking specific public keys.

Automating Certificate Checks With Scripts

Once you know the commands, you can automate checks. Here’s a simple bash script that checks certificate expiration and sends an alert if it’s close to expiring:

#!/bin/bash
DOMAIN="example.com"
EXPIRY_DATE=$(openssl s_client -connect $DOMAIN:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s)
CURRENT_EPOCH=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $CURRENT_EPOCH) / 86400 ))

if [ $DAYS_LEFT -lt 30 ]; then
    echo "WARNING: Certificate for $DOMAIN expires in $DAYS_LEFT days"
    # Add email notification here
else
    echo "OK: Certificate for $DOMAIN expires in $DAYS_LEFT days"
fi

You can expand this to check multiple domains from a file, log results, or integrate with monitoring systems like Nagios or Prometheus.

Checking Multiple Domains At Once

Create a text file with one domain per line, then run:

while read domain; do
    echo "Checking $domain..."
    openssl s_client -connect $domain:443 2>/dev/null | openssl x509 -noout -subject -dates
    echo "---"
done < domains.txt

This gives you a quick overview of all your certificates. You can redirect the output to a file for later review.

Advanced Certificate Inspection Techniques

Beyond basic checks, you might need to inspect specific certificate properties. Here are some advanced commands.

Checking Subject Alternative Names (SANs)

Modern certificates often cover multiple domains via SANs. Extract them with:

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -ext subjectAltName

Output shows all DNS names the certificate is valid for. This is critical for multi-domain or wildcard certificates.

Verifying Certificate Fingerprint

To get the SHA256 fingerprint:

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256

Use this to compare against known fingerprints for security verification.

Checking Certificate Serial Number

Each certificate has a unique serial number. Retrieve it with:

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -serial

This is useful for tracking specific certificates in logs or revocation lists.

Common Pitfalls And Troubleshooting

Even with the right commands, things can go wrong. Here are frequent issues and fixes.

Connection Timeout Or Refused

If the connection fails, check that the server is reachable and the port is open:

nc -zv example.com 443

If the port is closed, the certificate check will fail. Verify firewall rules and that the service is running.

Certificate Chain Incomplete

Some servers don't send intermediate certificates. You'll see a verification error. Fix this by ensuring the server is configured to send the full chain. On Apache, check the SSLCertificateChainFile directive. On Nginx, ensure the ssl_trusted_certificate is set.

Self-Signed Certificates

For testing environments, self-signed certificates are common. OpenSSL will show a verification error. Use the -CAfile option to specify a custom CA file, or accept the risk if it's internal.

Certificate Not Matching Domain

If the certificate's common name or SANs don't match the domain you're connecting to, you'll get a hostname mismatch error. Double-check the certificate's subject and SANs against the domain name.

Using Nmap For SSL Certificate Scanning

Nmap is primarily a network scanner, but it has SSL scripts that can check certificates. Install Nmap if needed, then run:

nmap --script ssl-cert -p 443 example.com

This script retrieves the certificate and displays subject, issuer, validity dates, and more. It's useful for scanning multiple hosts or ports.

For more detailed output, use the ssl-enum-ciphers script:

nmap --script ssl-enum-ciphers -p 443 example.com

This shows supported cipher suites and their strength, which is important for security audits.

Checking SSL Certificates On Non-Standard Ports

SSL isn't only on port 443. Mail servers use ports 465 (SMTPS) or 993 (IMAPS). The same commands work with different ports:

openssl s_client -connect mail.example.com:465 -showcerts

Just change the port number. The certificate check process is identical regardless of the service.

Checking Certificates On Internal Servers

For internal servers without public DNS, use the IP address:

openssl s_client -connect 192.168.1.100:443 -servername internal.example.com

The -servername flag sends the SNI (Server Name Indication) which tells the server which certificate to present. This is essential for servers hosting multiple sites on the same IP.

Integrating Certificate Checks Into Monitoring Systems

Production environments need automated monitoring. Here's how to integrate command line checks with common tools.

Nagios / Icinga Check Command

Create a custom check script using the OpenSSL commands above. Nagios can call it and parse the output for warnings and critical states based on days until expiration.

Prometheus Exporter

Write a simple exporter that runs the OpenSSL command periodically and exposes certificate metrics. Prometheus can scrape these metrics and alert on expiration.

Cron Job For Daily Checks

Schedule a cron job to run your script daily and email results:

0 6 * * * /usr/local/bin/check_certs.sh | mail -s "Daily SSL Check" admin@example.com

This ensures you never miss an expiration.

Frequently Asked Questions

How Do I Check An SSL Certificate Expiration Date In Linux?

Use the command openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates to display the notBefore and notAfter dates. For a quick validity check, add -checkend 0 to the x509 command.

Can I Check SSL Certificates Without OpenSSL Installed?

Yes, you can use curl with curl -vI https://example.com 2>&1 | grep -i "certificate". Nmap with the ssl-cert script also works. However, OpenSSL provides the most detailed and reliable results.

What Does The "Verify Return Code: 0 (Ok)" Mean?

It means the certificate chain was fully verified against the system's trusted root certificates. Any other code indicates a problem with the certificate chain, expiration, or trust.

How Do I Check A Certificate On A Different Port Like 993?

Simply change the port in the OpenSSL command: openssl s_client -connect mail.example.com:993 -showcerts. The process is identical for any SSL/TLS service.

Why Does My Certificate Check Show "Unable To Get Local Issuer Certificate"?

This usually means the server didn't send the intermediate certificate, or your system doesn't have the root CA installed. Ensure the server is configured to send the full chain, and update your system's CA certificates with sudo update-ca-certificates.

Best Practices For SSL Certificate Management

Regular checks are just one part of certificate management. Here are additional practices to keep your certificates healthy.

  • Set up automated renewal – Use Let's Encrypt or similar services with automatic renewal scripts
  • Monitor expiration at 30, 14, and 7 days – Don't wait until the last minute
  • Keep backup copies – Store certificate files and private keys securely
  • Use certificate transparency logs – Monitor for unauthorized certificates issued for your domains
  • Test after every renewal – Run your command line checks to confirm the new certificate works

By mastering these command line techniques, you take full control of your SSL certificate management. No more surprises from expired certificates or broken chains. Your terminal becomes a powerful tool for maintaining secure communications across all your services.

Remember, the commands here work on almost any Linux distribution. Whether you're managing a single blog or a fleet of servers, these methods scale from one-off checks to automated monitoring systems. Start with the basic OpenSSL command, then build your own scripts as your needs grow.

Your SSL certificates are the gatekeepers of your secure connections. Keep them verified, keep them valid, and keep your users safe. The command line gives you all the power you need to do just that.