92

If I have the actual file(.p12) and a Bash shell in Mac, how can I extract certificate and key file and also the certificate expiration date? assuming I have the csr(.p12), key files.

starball
  • 20,030
  • 7
  • 43
  • 238

4 Answers4

133

You can use openssl to extract the certificate from the .p12 file to a .pem file using the following command:

openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes

Then, you can extract the expiration date from the certificate in the .pem file using the following command:

cat certificate.pem | openssl x509 -noout -enddate
mti2935
  • 11,465
  • 3
  • 29
  • 33
  • 3
    I'm getting `notAfter=Oct 24 21:01:55 2017 GMT`, but I know for a fact that this certificate has expired. Any ideas? – WhyNotHugo Apr 25 '15 at 08:35
  • You mean it's on a revocation list maybe? https://en.wikipedia.org/wiki/Certificate_revocation_list http://security.stackexchange.com/questions/58301/verify-certificate-is-revoked-by-crl – Master James Feb 08 '17 at 11:51
  • 1
    As Maciek D.'s answer below shows, you can do the two commands in one line without using an intermediate certificate.pem file. – mwfearnley Oct 05 '17 at 12:18
  • To just test the certificate's current validity, you can specify an expiry period, as here : https://stackoverflow.com/a/31718838/1755628 – MikeW Apr 16 '18 at 09:58
  • Using `pkcs12 -nokeys` instead of `-nodes` eliminates the risk of leaving your unprotected privatekey lying about on the disk where some miscreant or evildoer might find it. – dave_thompson_085 Nov 14 '18 at 03:33
  • 8
    This answer is rather misleading. As mentioned above by WhyNotHugo he was seeing weird results from this. The answer below from David gives a probable explanation for this. The above method is extracting the root certificate (CA) and displaying the expiration date for that rather than the client certificate which is probably what the OP wants. So the answer below from @David should be the accepted one, not this one. – StFS May 23 '19 at 14:38
  • @WhyNotHugo "This cert"? There are usually 3 certs in a row. Have you count all your ducks? You also have to account the client CA's (not server). If they are obsolete you get cert error. – SamTzu Mar 14 '23 at 14:34
82

You can make the first answer a one-liner without using the intermediate file:

openssl pkcs12 -in certificate.p12 -nodes | openssl x509 -noout -enddate
Maciek D.
  • 2,754
  • 1
  • 20
  • 17
49

Extract the client certificate from the pkcs12 file and print its end date:

openssl pkcs12 -in certificate.p12 -clcerts -nodes | openssl x509 -noout -enddate

If you do not include the -clcerts option you may get the end date from a CA certificate instead of from your own certificate. Several CA certificates are usually included within the file as part of the chain of trust.

David
  • 2,942
  • 33
  • 16
  • The addition of `-clcerts` seems important, thanks for adding this. – Martijn Sep 11 '22 at 08:25
  • Tip: to programmatically add the certificate password, add the following **before** the pipe character (`|`): `-passin pass:` – Martijn Sep 11 '22 at 08:26
29

Here's how you do it on Windows:

certutil -dump "file.pfx"

P.S. I know the question specifically mentions Mac, this is just in case Google sends you here (like it sent me).

Alex from Jitbit
  • 53,710
  • 19
  • 160
  • 149