How to check a website's SSL certificate with OpenSSL

Inspect a remote server's SSL certificate chain, expiration date, and subject alternative names using OpenSSL s_client.

Prerequisites
Step-by-Step: Check a Website's SSL Certificate with OpenSSL
1. Connect to the Server and Retrieve the Certificate with OpenSSL
2. Display the Certificate Expiration Date with OpenSSL
3. Display Subject Alternative Names (SANs) with OpenSSL
4. Verify the Certificate Chain with OpenSSL
How to Verify the Certificate Is Valid with OpenSSL
Common Issues When Checking Certificates with OpenSSL

Inspect a remote server's SSL/TLS certificate including its expiration date, issuer, subject alternative names (SANs), and full certificate chain using OpenSSL s_client.

Prerequisites

OpenSSL installed (preinstalled on most Linux distributions and macOS)
Terminal access
The hostname and port of the server to inspect (default HTTPS port is 443)

Step-by-Step: Check a Website's SSL Certificate with OpenSSL

1. Connect to the Server and Retrieve the Certificate with OpenSSL

OpenSSL's s_client subcommand establishes a TLS connection to the specified host and port, then displays the certificate chain and handshake details:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null

The -servername flag sends the Server Name Indication (SNI) extension, which is required when the server hosts multiple domains on the same IP address. The </dev/null closes standard input immediately so the command exits after displaying the certificate.

2. Display the Certificate Expiration Date with OpenSSL

Pipe the OpenSSL s_client output into openssl x509 to extract the certificate's validity period:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates

OpenSSL displays the Not Before and Not After dates:

notBefore=Jan 15 00:00:00 2025 GMT
notAfter=Apr 15 23:59:59 2025 GMT

3. Display Subject Alternative Names (SANs) with OpenSSL

Extract the SANs to see which domain names the certificate covers:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName

4. Verify the Certificate Chain with OpenSSL

Display the full certificate chain including intermediates to diagnose chain issues:

openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null

The -showcerts flag tells OpenSSL to display every certificate in the chain, not just the leaf. Count the -----BEGIN CERTIFICATE----- blocks — a properly configured server sends 2–3 certificates (leaf + intermediate(s)).

How to Verify the Certificate Is Valid with OpenSSL

OpenSSL prints the verification result at the end of the s_client output. Look for the Verify return code line:

Verify return code: 0 (ok)

A return code of 0 means OpenSSL successfully validated the entire certificate chain against the system's CA bundle. Any non-zero code indicates a chain or trust issue — see OpenSSL: unable to get local issuer certificatefor the most common error.

Common Issues When Checking Certificates with OpenSSL

OpenSSL shows "verify error:num=20:unable to get local issuer certificate"— The server is not sending the intermediate CA certificate. The leaf certificate cannot be linked to a trusted root. See OpenSSL troubleshooting.

OpenSSL shows a different certificate than the browser— The -servername flag is missing. Without SNI, the server returns the default certificate instead of the one matching the requested hostname.

OpenSSL shows "certificate has expired"— The leaf or intermediate certificate has passed its notAfter date. Check the system clock with date -u to rule out clock skew, then renew the certificate with Certbot.