OpenSSL has a parameter in x509 that can be used to to check for future expiry of a certificate.

It’s not a recent feature, because I tested on Centos7, and that ships with an old release:

$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

The check is done in seconds:

-checkend arg   checks if the certificate expires within the next arg seconds and exits non-zero if yes it will expire or zero if not.

I found a site that showcases broken TLS to demonstrate this.  Check out badssl.com (it’s from Chromium’s namespace in GitHub, but not an official Google project.)

2592000 is 30 days of seconds. My use case is for Puppet to alert me when I need to think about renewing a certificate that it’s semi-managing.

echo | \
openssl s_client -connect expired.badssl.com:443 -servername expired.badssl.com 2>/dev/null | \
openssl x509 -noout -checkend 2592000 -enddate || echo fail

Output:

notAfter=Apr 12 23:59:59 2015 GMT
fail

A non zero return code is likely to arise for other reasons as well, but that will become evident when it’s obvious the certificate isn’t approaching renewal.

Here’s another way of doing it so the command is silent unless there’s a fault:

f=$(echo | \
openssl s_client -connect expired.badssl.com:443 -servername expired.badssl.com 2>/dev/null | \
openssl x509 -noout -checkend 2592000 -enddate) || echo "fail: $f"