Check Local Certificate Validity

TL;DR

You can check if a certificate is valid on your computer using built-in tools or command-line utilities. This guide shows you how to do it for different operating systems.

Checking Certificate Validity

1. Understand the Basics
• Certificates have an expiry date. After this date, they are no longer trusted.
• You need to verify that the certificate is issued by a trusted authority (Certificate Authority or CA).
• Checking locally confirms your computer trusts the certificate before connecting to a website/service.
2. Windows
1. Using Certificate Manager:
• Press Win + R, type certmgr.msc and press Enter.
• Navigate to the relevant store (e.g., ‘Trusted Root Certification Authorities’ or ‘Personal’).
• Double-click the certificate you want to check.
• Go to the ‘Details’ tab. Check the ‘Valid from’ and ‘Valid to’ dates.
• Look at the ‘Certification Path’ section to see if it chains back to a trusted root CA.
2. Using PowerShell:

Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -eq "your_certificate_subject"}

Replace your_certificate_subject with the certificate’s subject name.

3. macOS
1. Using Keychain Access:
• Open ‘Keychain Access’ (Applications > Utilities).
• Select the relevant keychain (e.g., ‘System’, ‘login’).
• Find your certificate in the list.
• Double-click the certificate.
• Check the ‘Validity’ section for start and end dates.
• Examine the ‘Trust’ section to see if it’s trusted.
2. Using Terminal:

security find-certificate -i your_certificate_name

Replace your_certificate_name with the certificate’s name or part of its subject.

4. Linux (using OpenSSL)
1. Check Certificate Details:

openssl x509 -in your_certificate.pem -text -noout

Replace your_certificate.pem with the path to your certificate file.

• Look for ‘Not Before’ and ‘Not After’ dates in the output.
• Check the ‘Issuer’ field to identify the issuing CA.
2. Verify Certificate Chain:

openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt your_certificate.pem

This command verifies if the certificate is trusted by the system’s CA store.

5. Browser Checks
• Most browsers show a warning if a certificate is invalid or untrusted.
• Clicking on the lock icon in the address bar usually provides details about the certificate.