Bash Script to Check SSL Certificate Expiry Date
Use
openssl s_client -connect hostname:443 -servername hostname piped to openssl x509 -noout -enddate in a Bash script to check SSL certificate expiry date.Examples
Inputgoogle.com
OutputnotAfter=Jun 15 12:00:00 2024 GMT
Inputexpired.badssl.com
OutputnotAfter=Apr 12 12:00:00 2015 GMT
Inputinvalid.host
OutputUnable to connect or retrieve certificate
How to Think About It
To check SSL certificate expiry, connect to the server's SSL port using
openssl s_client, extract the certificate, then parse the expiry date with openssl x509. This lets you see when the certificate will expire.Algorithm
1
Get the hostname as input.2
Use openssl s_client to connect to the hostname on port 443 and retrieve the certificate.3
Pipe the certificate to openssl x509 to extract the expiry date.4
Check if the expiry date was retrieved successfully.5
Print the expiry date or an error message.Code
bash
#!/bin/bash HOST=$1 if [ -z "$HOST" ]; then echo "Usage: $0 hostname" exit 1 fi EXPIRY=$(echo | openssl s_client -connect $HOST:443 -servername $HOST 2>/dev/null | \ openssl x509 -noout -enddate 2>/dev/null) if [ -z "$EXPIRY" ]; then echo "Unable to connect or retrieve certificate" exit 1 fi echo "$EXPIRY"
Output
notAfter=Jun 15 12:00:00 2024 GMT
Dry Run
Let's trace checking expiry for google.com through the code
1
Input hostname
HOST=google.com
2
Run openssl s_client
Connects to google.com:443 and retrieves SSL certificate
3
Extract expiry date
openssl x509 outputs: notAfter=Jun 15 12:00:00 2024 GMT
| Step | Action | Value |
|---|---|---|
| 1 | Set HOST | google.com |
| 2 | Retrieve certificate | Certificate data from google.com |
| 3 | Extract expiry | notAfter=Jun 15 12:00:00 2024 GMT |
Why This Works
Step 1: Connect to server
The openssl s_client command connects to the server's SSL port and fetches the certificate.
Step 2: Extract expiry date
The certificate is piped to openssl x509 -noout -enddate which prints only the expiry date.
Step 3: Handle errors
If the connection or extraction fails, the script prints an error message to inform the user.
Alternative Approaches
Using curl with verbose output
bash
#!/bin/bash HOST=$1 if [ -z "$HOST" ]; then echo "Usage: $0 hostname" exit 1 fi EXPIRY=$(curl -vI https://$HOST 2>&1 | grep -i 'expire date' | head -1 | cut -d':' -f2- | xargs) echo "$EXPIRY"
This method uses curl's verbose output to find expiry but may be less reliable and slower.
Using timeout to avoid hanging
bash
#!/bin/bash HOST=$1 if [ -z "$HOST" ]; then echo "Usage: $0 hostname" exit 1 fi EXPIRY=$(timeout 5 bash -c "echo | openssl s_client -connect $HOST:443 -servername $HOST 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null") if [ -z "$EXPIRY" ]; then echo "Unable to connect or retrieve certificate" exit 1 fi echo "$EXPIRY"
Adds a timeout to prevent the script from hanging if the server is unresponsive.
Complexity: O(1) time, O(1) space
Time Complexity
The script runs a fixed number of commands and network calls, so time is constant relative to input size.
Space Complexity
Uses minimal memory to store hostname and expiry string; no large data structures.
Which Approach is Fastest?
The openssl direct method is fastest and most reliable compared to curl or adding timeouts.
| Approach | Time | Space | Best For |
|---|---|---|---|
| openssl s_client + x509 | O(1) | O(1) | Reliable and fast expiry check |
| curl verbose parsing | O(1) | O(1) | Quick check but less reliable |
| openssl with timeout | O(1) | O(1) | Safe for slow or unresponsive servers |
Always specify the hostname with
-servername in openssl s_client to support servers with multiple SSL certificates.Forgetting to redirect error output causes confusing messages to appear instead of clean expiry info.