How to retrieve the SSL cert expiration date from a PEM encoded certificate?

We use the following command to get the ending date of PEM encoded certificates that are generated using certbot and Let's Encrypt:

openssl x509 -enddate -noout -in fullchain.pem;

To get a list of all certificates and their expiration dates, we issue the following find command that executes the above snippet on each result while printing the name of the file first.

find ~/certificates/ -name "fullchain.pem" -print -exec openssl x509 -enddate -noout -in '{}' \;

In this example, the certificates are in our home folder under the name ‘certificates’. The results will look like the following sample:

notAfter=Aug 22 10:12:55 2021 GMT
notAfter=Nov 22 03:22:44 2021 GMT

Cloudflare Origin Server Certificate for IIS 10 Server on Windows Server 2016 to allow Full (strict) mode SSL/TLS encryption mode 8

Create a Certificate Request from your Windows Server

  1. Open Internet Information Services (IIS) Manager from the Windows Server 2016 through Control Panel -> Administrative Tools
  2. Select your server from the Connections and open Server Certificates
  1. From the Server Certificates Actions select Create Certificate Request
  1. Fill in the following form with your details:
Common name: [your domain]
Organization: [your organization name]
  1. Set the settings for the Cryptographic service provider of the certificate, the bigger the length of the certificate the better the security but it makes the server slower.
  1. Specify the filename of the txt file where you will save the certificate request

Create the certificate from Cloudflare using your own certificate request that you created from your Windows Server

  1. Open your Cloudflare account, select your domain, open SSL/TLS tab and click on Origin Server in order to create the certificate
  1. Select the option ‘I have my own private key and CSR’ where you will Copy-Paste the certificate you saved on the txt file from your Windows Server, fill in the hostnames, select the expiration years and press Next
  1. Copy-Paste in PEM key format the certificate in a text file and save the file

Add the public certificate from Cloudflare at your Windows Server

  1. Copy the file with the PEM certificate from Cloudflare at your Windows Server
  2. Select ‘Complete Certificate Request’ from the IIS Manager Server Certificates Actions
  1. Select the PEM certificate you copied at the server and add a friendly name (e.g. the domain it covers and the expiration date of it):
  1. The certificate will appear at the list of the Server Certificates with the Friendly name you added at the form before

Import Cloudflare Origin CA root certificate at your Windows server

  1. Copy the Cloudflare Origin CA — RSA Root certificate from Cloudflare website, save to a file and transfer it to your Windows Server
  2. Open the Certificates Microsoft Management Console (MMC) snap-in by typing mmc.exe at the command prompt (or at the run dialog that you can open by pressing the buttons Win+R)
  3. On the File menu, select Add/Remove Snap-in
  1. In the Add or Remove Snap-ins dialog box, select Certificates snap-in in the Available snap-ins list, click Add, and then select OK
  1. In the Certificates snap-in dialog-box, select Computer account, and then select Next
  1. In the Select computer dialog box, click on Finish
  1. In the Add or Remove Snap-ins dialog box, select OK
  1. In the Certificates MMC snap-in, expand Certificates, right-click Intermediate Certification Authorities, point to All Tasks, and then select Import
  1. In the Certificate Import Wizard, select Next
  1. In the File to Import page, select the file with the Cloudflare origin CA root certificate you saved before, and then select Next
  1. Select Next at the Certificate Import Wizard
  1. Select Finish at the Certificate Import Wizard
  1. The certificate will appear at the Certificates list

Use the newly created server origin certificate from Cloudflare for your website

  1. Select Bindings from the IIS Manager Web Site Actions
  1. Select the https binding and click Edit. If you do not have an https binding, press Add... to create one like in the second screen down
  1. At the SSL certificate dropdown list Select the new certificate and press OK

Force your website domain to pass through Cloudflare

  1. Open your Cloudflare account, select your domain, go to DNS option and change the Proxy status for your website from DNS only to Proxied by click it
  1. Enable Cloudflare full (strict) SSL TLS encryption mode in the SSL/TLS tab

Ignore SSL certificates for GIT

The background

So, recently a new firewall was installed, this firewall performs SSL/TLS decryption on all encrypted traffic…

In order for machines to continue operating normally, a custom certificate was issued and installed on each one. On certain machines though, the certificate was not installed and this caused verification problems.

The story

While trying to clone a git project from github we got the following output

$ git clone https://github.com/ioi/translation.git
Cloning into 'translation'...
fatal: unable to access 'https://github.com/ioi/translation.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

The horrible solution

To mitigate the problem (not solve it), we directed git to ignore the SSL certificates and not verify them using the following call right before the clone command.

export GIT_SSL_NO_VERIFY=true

As expected, the execution went smoothly after this change

$ git clone https://github.com/ioi/translation.git
Cloning into 'translation'...
remote: Counting objects: 297, done.
remote: Total 297 (delta 0), reused 0 (delta 0), pack-reused 297
Receiving objects: 100% (297/297), 4.40 MiB | 1.50 MiB/s, done.
Resolving deltas: 100% (39/39), done.
Checking connectivity... done.