How do I determine the expiration date of a p12 certificate?

First you will need to translate the pkcs12 certificate into a PEM certificate.
The PEM certificate is only needed temporarily and can later be removed.

$ openssl pkcs12 -in certificate.p12 -out tempcrt.pem
Enter Import Password: 
MAC verified OK
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase:


Now, we use the tempcrt.pem that we generated to determine the expiration date. The first method, which only displays the expiration date can be retrieved like this:

$ openssl x509 -in tempcrt.pem -noout -enddate
notAfter=Jan  3 23:19:24 2009 GMT


The second method which includes a lot more detail about the certificate below, I’ve only included the details relevant to the creation and expiration dates.

$ openssl x509 -in tempcrt.pem -noout -text
        [ ... snip ... ]
            Not Before: Jan  3 23:19:24 2008 GMT
            Not After : Jan  3 23:19:24 2009 GMT
        [ ... snip ... ]


This entry was posted in Answers, Security, System Administration. Bookmark the permalink.

6 Responses to How do I determine the expiration date of a p12 certificate?

  1. kapil says:

    in Java

    KeyStore caKs = KeyStore.getInstance(“PKCS12″);
    caKs.load(new FileInputStream(new File(“pathtop12file”)), “password”.toCharArray());
    X509Certificate cert = (X509Certificate)caKs.getCertificate(“certificatenameMayBeFileName”);
    System.out.println(“certification will expire after “+ cert.getNotAfter());

  2. Kay says:

    It may be simpler to use the keytool fucntionality from IBM which in turn will turn this into a one-liner:
    keytool -list -v -storetype pkcs12 -keystore .p12 -storepass -

  3. Robert says:

    Openssl seems to be insisting on a non-empty password at it’s prompt so it’s better to
    do it like this, specifing a null password on the command line…

    $ openssl pkcs12 -in certificate.p12 -out tempcrt.pem -passout pass:
    $ openssl x509 -in tempcrt.pem -noout -text -passin pass:
    $ rm tempcrt.pem

    The -passin option also works on the initial command, it’s seen as insecure of course.

  4. VJ says:

    Yes , short but very useful …thanks a lot.

  5. 4fthawaiian says:

    Thanks a ton for this. Saved me a lot of work. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>