openssl x509: Check Certificate Expiry in CI
openssl x509 -checkend exits non-zero if a certificate expires within a given number of seconds.
Expiry checks belong in CI so a stale cert fails the build instead of production. -checkend gives you a clean exit code to gate on.
What it does
openssl x509 -checkend N exits 0 if the certificate is valid for at least N more seconds and 1 if it will expire within that window. -enddate prints the notAfter date for logging.
Common usage
# fail if the cert expires within 30 days
openssl x509 -in cert.pem -checkend 2592000 -noout \
|| echo "Certificate expires within 30 days"
# read the expiry date for a TLS endpoint
echo | openssl s_client -connect example.com:443 2>/dev/null \
| openssl x509 -noout -enddateOptions
| Flag | What it does |
|---|---|
| -checkend <seconds> | Exit 1 if the cert expires within this many seconds |
| -enddate | Print the notAfter (expiry) date |
| -startdate | Print the notBefore date |
| -dates | Print both validity dates |
| -noout | Suppress the encoded certificate |
In CI
Wrap -checkend in a scheduled job to warn before renewal is due. Remember the exit code is inverted from intuition: 0 means "still good", 1 means "expiring soon", so test with || not &&.
Common errors in CI
"unable to load certificate" means the input is not a PEM cert, often because an s_client pipe also captured the server chain or stderr; redirect 2>/dev/null and pipe only the leaf. A -checkend that always passes usually has the seconds value too small to ever trip.