Skip to content
Latchkey

openssl x509: Check Certificate Expiry in CI

openssl x509 -checkend exits non-zero if a certificate expires within a given number of seconds.

Expiry checks belong in CI so a stale cert fails the build instead of production. -checkend gives you a clean exit code to gate on.

What it does

openssl x509 -checkend N exits 0 if the certificate is valid for at least N more seconds and 1 if it will expire within that window. -enddate prints the notAfter date for logging.

Common usage

Terminal
# fail if the cert expires within 30 days
openssl x509 -in cert.pem -checkend 2592000 -noout \
  || echo "Certificate expires within 30 days"
# read the expiry date for a TLS endpoint
echo | openssl s_client -connect example.com:443 2>/dev/null \
  | openssl x509 -noout -enddate

Options

FlagWhat it does
-checkend <seconds>Exit 1 if the cert expires within this many seconds
-enddatePrint the notAfter (expiry) date
-startdatePrint the notBefore date
-datesPrint both validity dates
-nooutSuppress the encoded certificate

In CI

Wrap -checkend in a scheduled job to warn before renewal is due. Remember the exit code is inverted from intuition: 0 means "still good", 1 means "expiring soon", so test with || not &&.

Common errors in CI

"unable to load certificate" means the input is not a PEM cert, often because an s_client pipe also captured the server chain or stderr; redirect 2>/dev/null and pipe only the leaf. A -checkend that always passes usually has the seconds value too small to ever trip.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →