OpenSSL & Cert6 min read

How to Check and Read an SSL Certificate (Browser, CLI, and Online)

Check SSL certificate details from a browser, the command line, and online tools — reading expiry dates, SANs, certificate chain, and verifying a cert matches its private key.

Reading an SSL certificate tells you who it was issued to, when it expires, which domains it covers, and whether it's from a trusted CA. Here's how to inspect certificates from a browser, the command line, and online tools.

Check Certificate in Browser

Click the padlock icon in the address bar → "Connection is secure" → "Certificate is valid" to view:

  • Subject — the domain or organization the cert is for
  • Issuer — the CA that signed it (Let's Encrypt, DigiCert, etc.)
  • Valid from / until — the validity window
  • SANs — Subject Alternative Names (all domains the cert covers)

Check with OpenSSL (Command Line)

# Check a live server's certificate
openssl s_client -connect example.com:443 -showcerts 2>/dev/null   | openssl x509 -text -noout

# Check expiry dates only
echo | openssl s_client -connect example.com:443 2>/dev/null   | openssl x509 -noout -dates

# Output:
# notBefore=Jan 15 00:00:00 2025 GMT
# notAfter=Apr 15 23:59:59 2025 GMT

# Check SANs (which domains are covered)
echo | openssl s_client -connect example.com:443 2>/dev/null   | openssl x509 -noout -ext subjectAltName

# Check a certificate file
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.pem -noout -dates
openssl x509 -in cert.pem -noout -fingerprint -sha256

Reading the Certificate Output

Certificate:
  Data:
    Version: 3 (0x2)
    Subject: CN = example.com           ← Common Name (primary domain)
    Issuer: CN = R11, O = Let's Encrypt  ← Who signed it

    Validity
      Not Before: Jan 15 00:00:00 2025 GMT  ← Valid from
      Not After : Apr 15 23:59:59 2025 GMT  ← Expires (90 days for Let's Encrypt)

    Subject Public Key Info:
      Public Key Algorithm: id-ecPublicKey  ← ECDSA (modern) or rsaEncryption
      EC Key: 256 bit                        ← Key size

    X509v3 Subject Alternative Name:
      DNS:example.com, DNS:www.example.com  ← All covered domains

    X509v3 Basic Constraints:
      CA:FALSE                               ← Not a CA certificate

Verify a Certificate Matches Its Private Key

# Both outputs must be identical — if they match, the key and cert are a pair
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5

# For ECDSA keys
openssl x509 -noout -pubkey -in cert.pem | openssl md5
openssl ec -pubout -in private.key 2>/dev/null | openssl md5

Check the Certificate Chain

# Download and show full chain from live server
openssl s_client -connect example.com:443 -showcerts 2>/dev/null

# Verify chain locally
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt cert.pem

# Check chain completeness (missing intermediate is a common issue)
openssl s_client -connect example.com:443 2>/dev/null | grep "Verify return code"
# Should be: Verify return code: 0 (ok)
# NOT: 21 (unable to verify the first certificate) — missing intermediate

Monitor Certificate Expiry

#!/bin/bash
# Check days until expiry for a domain
DOMAIN="example.com"
EXPIRY=$(echo | openssl s_client -connect $DOMAIN:443 2>/dev/null   | openssl x509 -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DAYS=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))
echo "$DOMAIN expires in $DAYS days ($EXPIRY)"

# Automate with cron to alert when < 30 days remain

TRY THE FREE TOOL

Certificate Decoder

Decode and inspect SSL/TLS certificate details

Open Tool →
N

Nattapon Tonapan

Developer & creator of FreeUtil. Building free tools for developers and Thai users.

About the author →

RELATED ARTICLES

OpenSSL & Cert7 min read

X.509 Certificates Explained: How to Read and Inspect SSL Certificate Details

OpenSSL & Cert7 min read

SSL Certificate Types Explained: PEM, DER, PKCS12, and More

OpenSSL & Cert8 min read

How to Create a Self-signed SSL Certificate for Local Development

← Back to all articles