TL;DR
You can check if a certificate is valid on your computer using built-in tools or command-line utilities. This guide shows you how to do it for different operating systems.
Checking Certificate Validity
- Understand the Basics
- Certificates have an expiry date. After this date, they are no longer trusted.
- You need to verify that the certificate is issued by a trusted authority (Certificate Authority or CA).
- Checking locally confirms your computer trusts the certificate before connecting to a website/service.
- Using Certificate Manager:
- Press
Win + R, typecertmgr.mscand press Enter. - Navigate to the relevant store (e.g., ‘Trusted Root Certification Authorities’ or ‘Personal’).
- Double-click the certificate you want to check.
- Go to the ‘Details’ tab. Check the ‘Valid from’ and ‘Valid to’ dates.
- Look at the ‘Certification Path’ section to see if it chains back to a trusted root CA.
Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq "your_certificate_subject"}Replace your_certificate_subject with the certificate’s subject name.
- Using Keychain Access:
- Open ‘Keychain Access’ (Applications > Utilities).
- Select the relevant keychain (e.g., ‘System’, ‘login’).
- Find your certificate in the list.
- Double-click the certificate.
- Check the ‘Validity’ section for start and end dates.
- Examine the ‘Trust’ section to see if it’s trusted.
security find-certificate -i your_certificate_nameReplace your_certificate_name with the certificate’s name or part of its subject.
- Check Certificate Details:
openssl x509 -in your_certificate.pem -text -nooutReplace your_certificate.pem with the path to your certificate file.
- Look for ‘Not Before’ and ‘Not After’ dates in the output.
- Check the ‘Issuer’ field to identify the issuing CA.
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt your_certificate.pemThis command verifies if the certificate is trusted by the system’s CA store.
- Most browsers show a warning if a certificate is invalid or untrusted.
- Clicking on the lock icon in the address bar usually provides details about the certificate.