A PKCS12 file, which has an extension of .pfx, contains a certificate (CA-issued certificate or self-signed certificate) and a corresponding private key.

Getting the certificate expiration date is a two step process :

• Convert the .pfx file to .pem

• Get the expiration/enddate of the pem file.

There might be better ways to do this, but below is what I came up with while working with a friend today.

1
2
3
4
5

# Using -passin to avoid pem passpharse prompt.
$ openssl pkcs12 -in testuser1.pfx -out temp.pem -passout pass:"${pass}" -passin pass:"${pass}"

# This will spit out the expiration date.
$ openssl x509 -in temp.pem -noout -enddate