How do I determine the expiration date of a p12 certificate?

First you will need to translate the pkcs12 certificate into a PEM certificate.
The PEM certificate is only needed temporarily and can later be removed.

$ openssl pkcs12 -in certificate.p12 -out tempcrt.pem
Enter Import Password: 
MAC verified OK
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase:

 

Now, we use the tempcrt.pem that we generated to determine the expiration date. The first method, which only displays the expiration date can be retrieved like this:

$ openssl x509 -in tempcrt.pem -noout -enddate
notAfter=Jan  3 23:19:24 2009 GMT

 

The second method which includes a lot more detail about the certificate below, I’ve only included the details relevant to the creation and expiration dates.

$ openssl x509 -in tempcrt.pem -noout -text
        [ ... snip ... ]
        Validity
            Not Before: Jan  3 23:19:24 2008 GMT
            Not After : Jan  3 23:19:24 2009 GMT
        [ ... snip ... ]

 

6 thoughts on “How do I determine the expiration date of a p12 certificate?”

  1. Openssl seems to be insisting on a non-empty password at it’s prompt so it’s better to
    do it like this, specifing a null password on the command line…

    $ openssl pkcs12 -in certificate.p12 -out tempcrt.pem -passout pass:
    $ openssl x509 -in tempcrt.pem -noout -text -passin pass:
    $ rm tempcrt.pem

    The -passin option also works on the initial command, it’s seen as insecure of course.

  2. It may be simpler to use the keytool fucntionality from IBM which in turn will turn this into a one-liner:
    keytool -list -v -storetype pkcs12 -keystore .p12 -storepass –

  3. in Java

    KeyStore caKs = KeyStore.getInstance(“PKCS12”);
    caKs.load(new FileInputStream(new File(“pathtop12file”)), “password”.toCharArray());
    X509Certificate cert = (X509Certificate)caKs.getCertificate(“certificatenameMayBeFileName”);
    System.out.println(“certification will expire after “+ cert.getNotAfter());

Leave a Reply

Your email address will not be published. Required fields are marked *