You can check an SSL certificate directly from the command line over SSH using tools like openssl. This is useful to verify expiry, issuer, chain, and domain validity without relying on a browser. Here’s a detailed guide.
1. Check certificate details from the server
Command:
openssl x509 -in /path/to/certificate.crt -text -noout
Explanation:
-in /path/to/certificate.crt→ path to your certificate file (e.g.,/etc/ssl/certs/fullchain.pem)-text→ prints detailed info (issuer, validity, SANs)-noout→ avoids printing raw base64 data
Example output includes:
- Issuer (CA)
- Subject (domain)
- Validity period (
Not Before/Not After) - Signature algorithm
- SANs (Subject Alternative Names)
2. Check certificate against its private key
Make sure the certificate matches the private key:
openssl x509 -noout -modulus -in /path/to/certificate.crt | openssl md5
openssl rsa -noout -modulus -in /path/to/private.key | openssl md5
Explanation:
- The MD5 hashes must match.
- If they differ, the certificate and key do not match.
3. Check the certificate chain and connection to your domain
openssl s_client -connect example.com:443 -servername example.com
Explanation:
-connect example.com:443→ test connection to the server-servername example.com→ enables SNI for multi-domain servers
You can check:
- Server certificate details
- Intermediate certificates sent by the server
- Expiry dates at the bottom (
Verify return code: 0 (ok)if trusted)
Optional: Get expiry date only:
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
Output:
notBefore=Jan 20 00:00:00 2026 GMT
notAfter=Jan 20 23:59:59 2027 GMT
4. Check if the certificate is about to expire (days left)
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -enddate \
| cut -d= -f2
To calculate days until expiry:
expiry=$(openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -enddate | cut -d= -f2)
expiry_date=$(date -d "$expiry" +%s)
today=$(date +%s)
echo $(( ($expiry_date - $today) / 86400 )) "days left"
5. Check only certificate fingerprint (SHA256)
openssl x509 -in /path/to/certificate.crt -noout -fingerprint -sha256
6. Test TLS versions supported by the server
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
- If the connection fails, the server doesn’t support that version.
Summary of useful checks via SSH:
| Task | Command |
|---|---|
| View certificate details | openssl x509 -in cert.crt -text -noout |
| Check certificate matches private key | openssl x509 -noout -modulus -in cert.crt | openssl md5 |
| Check certificate chain from server | openssl s_client -connect example.com:443 -servername example.com |
| Check expiry date | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates |
| Check SHA256 fingerprint | openssl x509 -in cert.crt -noout -fingerprint -sha256 |
| Test TLS versions | openssl s_client -connect example.com:443 -tls1_2 |