35

Let's say we have an SSL certificate for a site. According to a web browser, the certificate expires tomorrow, Dec 10 2011.

OK, but that glosses over time zones. When will it expire, exactly?

  • 00:00 local time of the server (e.g. ET)
  • 00:00 local time of the user browsing the site (wherever)
  • 00:00 UTC

?

(Context of question: An admin who likes to wait until the last day before expiration, to set up the new cert. Why? To "get the most value out of it", he says. I don't follow that logic, exactly, and probably he should just replace it a few days earlier? But anyway I'm concerned/curous whether the cert may stop working for some/all users, before 00:00 our local time.)

Greg Hendershott
  • 816
  • 1
  • 8
  • 12
  • 1
    P.S. I guess a sub-question would be, in addition to the timezone, what actual _time_ on the date does it expire? The obvious choices being 00:00 and 23:59, I suppose. – Greg Hendershott Dec 09 '11 at 17:08
  • 7
    That admin is an idiot. All major cert vendors will issue a renewal early and keep the end-date the same as if you had renewed it on the last day. – MDMarra Dec 09 '11 at 17:10
  • 4
    To get the most value out of it? If is is renewing his cert with the same vendor that doesn't apply.. Renewed certificates from the vendors I work with are always appended to the end of the current cert's date. – Tim Brigham Dec 09 '11 at 17:10

2 Answers2

43

Almost all cert vendors will renew a cert for the additional whole year (or whatever time frame) for a month or so before the previous expires. So if your cert was good for Dec 10, 2010 to Dec 10, 2011; you can get a new cert in November and it'll be good for Nov 20, 2011 to Dec 10, 2012. That way you don't have to worry about "getting the most value out of it".

To answer the question, certs specify the time down to the minute, and include a time zone.

You can feed your public cert through openssl x509 -in Certificate_File.pem -text and it will output the Validity range. The following is from my personal websites from last year:

Not Before: Apr 20 20:48:59 2010 GMT
Not After : Jun  5 01:52:13 2011 GMT
Community
  • 1
Chris S
  • 77,945
  • 11
  • 124
  • 216
  • 1
    Oh, your edit beat me to it ;) – Shane Madden Dec 09 '11 at 17:17
  • 1
    Although it "includes a time zone" the PKIX profile (which specifies how all certificates for the Internet should work) explicitly requires certificates to use only the UTC ("Zulu") timezone, which here has been displayed as GMT In principle GMT and UTC are different kinds of things, but in practice they refer to the same thing. – tialaramex Jul 04 '17 at 12:28
  • That said, cert objects in APIs (notably [.NET's X509Certificate2.NotAfter](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.notafter?view=net-7.0)) may return a local time. – Seva Alekseyev Mar 02 '23 at 17:28
3

If you want to test response from the client side or if you don't have the certificate file itself handy:

# echo | openssl s_client -connect www.example.tld:443 2>/dev/null | openssl x509 -noout -dates

notBefore=Oct  2 22:56:44 2018 GMT
notAfter=Dec 31 22:56:44 2018 GMT

(And like the other answer it will show TZ (with the date/time stamps)
You can also try this BASH script which does files & sites..

B. Shea
  • 1,009
  • 11
  • 22
  • 3
    Thanks for sharing. FYI: With a minor tweak, this also works in Windows: `openssl.exe s_client -connect plan.clearchannel.es:443 2>nul | openssl x509 -noout -dates​` (assuming openssl is in your current or %path% directory) – JohnLBevan Oct 22 '21 at 09:11