How to check SSL certificate expiry on Apache

Apache serves the file referenced by SSLCertificateFile. Check it from the live endpoint or from disk.

The universal way: openssl

This works regardless of where your certificate is served from. It opens a TLS connection and prints the validity dates of the certificate the server presents.

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \
  | openssl x509 -noout -dates -issuer -subject

Find and read the certificate file

Locate the SSLCertificateFile directive (commonly in /etc/httpd/ or /etc/apache2/sites-enabled/) and read its dates.

grep -Ri "SSLCertificateFile" /etc/httpd/ /etc/apache2/ 2>/dev/null
openssl x509 -enddate -noout -in /etc/pki/tls/certs/example.com.crt

Don’t want to run this by hand every month?

SSLNudge checks Apache endpoints daily and alerts you before expiry.

Monitor it free

Related errors

CERT_HAS_EXPIRED
UNABLE_TO_VERIFY_LEAF_SIGNATURE

Tip: paste a hostname into the free SSL checker to see its expiry right now.