How-to guide

Check and inspect certificates with OpenSSL on Windows

OpenSSL can inspect certificates in PEM, DER and PFX format, check expiry dates, verify chains, and test live server certificates. This guide covers the most useful openssl x509 and openssl s_client commands on Windows.

PEM certificates

Inspect a PEM certificate file

The most common certificate format. Files end in .pem, .crt or .cer.

cmd.exe
# Full certificate details:
C:\certs> openssl x509 -in certificate.pem -noout -text
# Subject and issuer only:
C:\certs> openssl x509 -in certificate.pem -noout -subject -issuer
subject=CN=example.com, O=Example Corp, C=US
issuer=CN=R10, O=Let's Encrypt, C=US
# Expiry dates:
C:\certs> openssl x509 -in certificate.pem -noout -dates
notBefore=Apr 1 00:00:00 2026 GMT
notAfter=Jun 30 23:59:59 2026 GMT
# Check if expired (exit 0 = valid, exit 1 = expired):
C:\certs> openssl x509 -in certificate.pem -noout -checkend 0
Certificate will not expire
# Check if cert expires within 30 days (2592000 seconds):
C:\certs> openssl x509 -in certificate.pem -noout -checkend 2592000
Remote server

Check a live server certificate

Use openssl s_client to connect to a server and inspect its certificate:

cmd.exe
# Connect and show certificate chain:
C:\> openssl s_client -connect example.com:443 -showcerts
# Show only the server certificate details:
C:\> openssl s_client -connect example.com:443 2>nul | openssl x509 -noout -text
# Check expiry of a remote cert:
C:\> openssl s_client -connect example.com:443 2>nul | openssl x509 -noout -dates
notBefore=Apr 1 00:00:00 2026 GMT
notAfter=Jun 30 23:59:59 2026 GMT
In PowerShell use 2>$null instead of 2>nul to suppress the connection noise.
PFX / P12 files

Inspect a PFX (PKCS#12) file

PFX files bundle the certificate and private key together. Common on Windows IIS and Azure.

cmd.exe
# List contents of a PFX file:
C:\certs> openssl pkcs12 -in certificate.pfx -info -noout
Enter Import Password:
MAC: sha256, Iteration 2048
Certificate bag
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, ...
# Extract and inspect the certificate from PFX:
C:\certs> openssl pkcs12 -in certificate.pfx -nokeys -out cert-only.pem
C:\certs> openssl x509 -in cert-only.pem -noout -dates

For full PFX to PEM conversion see Convert PFX to PEM.

Certificate chain

Verify a certificate chain

cmd.exe
# Verify cert against a CA bundle:
C:\certs> openssl verify -CAfile ca-bundle.pem certificate.pem
certificate.pem: OK
# Verify with intermediate cert:
C:\certs> openssl verify -CAfile ca.pem -untrusted intermediate.pem certificate.pem
certificate.pem: OK
FAQ

Certificate inspection questions

How do I check if a private key matches a certificate?
Compare the modulus of both. If they match, the key and certificate belong together:
openssl x509 -in cert.pem -noout -modulus | openssl md5
openssl rsa -in key.pem -noout -modulus | openssl md5
Both commands must output the same MD5 hash.
How do I check the SANs on a certificate?
Run openssl x509 -in cert.pem -noout -ext subjectAltName. On older OpenSSL versions use openssl x509 -in cert.pem -noout -text | findstr "DNS:".
The s_client command hangs after connecting
Add -quiet or pipe a newline to close the connection after retrieving the certificate: echo. | openssl s_client -connect example.com:443 2>nul | openssl x509 -noout -dates

Need to convert certificate formats?

Convert PFX to PEM, extract private key, or convert DER to PEM.

Convert PFX to PEM →

Related guides

Convert PFX to PEM →
format conversion
Test SSL connection →
s_client in depth
Commands cheat sheet →
all x509 commands