Let's say we have an SSL certificate for a site. According to a web browser, the certificate expires tomorrow, Dec 10 2011.
OK, but that glosses over time zones. When will it expire, exactly?
- 00:00 local time of the server (e.g. ET)
- 00:00 local time of the user browsing the site (wherever)
- 00:00 UTC
?
(Context of question: An admin who likes to wait until the last day before expiration, to set up the new cert. Why? To "get the most value out of it", he says. I don't follow that logic, exactly, and probably he should just replace it a few days earlier? But anyway I'm concerned/curous whether the cert may stop working for some/all users, before 00:00 our local time.)
Almost all cert vendors will renew a cert for the additional whole year (or whatever time frame) for a month or so before the previous expires. So if your cert was good for Dec 10, 2010 to Dec 10, 2011; you can get a new cert in November and it'll be good for Nov 20, 2011 to Dec 10, 2012. That way you don't have to worry about "getting the most value out of it".
To answer the question, certs specify the time down to the minute, and include a time zone.
You can feed your public cert through
openssl x509 -in Certificate_File.pem -text
and it will output the Validity range. The following is from my personal websites from last year:If you want to test response from the client side or if you don't have the certificate file itself handy:
(And like the other answer it will show TZ (with the date/time stamps)
You can also try this BASH script which does files & sites..