OpenSSL check p12 expiration date

1. Check .p12 / .pfx certificate expiration date:

openssl pkcs12 -in testuser1.pfx -nokeys | openssl x509 -noout -enddate

To specify password in plain text, add -passin pass:”${pass}”

2. Export key and cert from .p12 / .pfx:

openssl pkcs12 -clcerts -nokeys -in myContainer.p12 -out usercert.pem
openssl pkcs12 -nocerts  -in myContainer.p12 -out userkey.pem

3. Connect to HTTPS server with client certificate:

openssl s_client -connect -cert usercert.pem -key userkey.pem

2 thoughts on “OpenSSL check p12 expiration date

  1. When I tried with the command:
    openssl pkcs12 -in key.p12 -nokeys | openssl x509 -noout -enddate

    it gives the following error:
    24453:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:
    unable to load certificate
    24454:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:648:Expecting: TRUSTED CERTIFICATE

    • I don’t think your certificate is correctly formatted. I got similar problems when I saved an x509-certificate with notepad to disk. Notepad created a BOM-character in the beginning of the file and also incorrect line endings.
      (This can be verified with vi by opening the x509 cert file with vi -b certfile.cer
      if you see strange xml-like chars in the very beginning of the file, that’s the BOM-character and it can be safely deleted.

      if you see every line end with ^M then you have windows newlines making the file base64-encoding corrupted. you can substitute them with
      please note that you press and hold the CTRL-key and then you press V and M in succession, this will produce ^M.

      However, I couldn’t create a p12 bundle with the aforementioned issues with the cer-file. Did you rename your file to p12 or did you bundle it using the openssl cli-tool?

      You can create a p12 from:
      * chain file containing CA root cert + intermediate CA cert(s)
      * private key, starts with ##### BEGIN PRIVATE KEY #####
      * public key, starts with ##### BEGIN CERTIFICATE #####

      openssl pkcs12 -export -out outfile.p12 -inkey keyfile.key -in publicCert.cer -certfile chainCAcerts.crt
      You will be prompted to choose a password for the p12 file, please keep that safe yet retrievable.

Leave a Reply

Your email address will not be published. Required fields are marked *