How to check SSL certificate expiry on Apache Tomcat

Tomcat serves TLS from a connector in server.xml that points at a keystore (JKS or PKCS12), or at PEM files in newer versions. Check expiry from the keystore or straight from the live endpoint.

The universal way: openssl

This works regardless of where your certificate is served from. It opens a TLS connection and prints the validity dates of the certificate the server presents.

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \
  | openssl x509 -noout -dates -issuer -subject

Read the keystore with keytool

Find the connector’s keystoreFile / certificateKeystoreFile in conf/server.xml, then list the entry’s validity with keytool.

keytool -list -v -keystore /opt/tomcat/conf/keystore.jks -storepass changeit \
  | grep "Valid from"

PEM-based connectors

If your connector uses a PEM file (certificateFile in a nested <SSLHostConfig><Certificate>, or the older SSLCertificateFile on the connector) instead of a keystore, read the certificate file directly.

openssl x509 -enddate -noout -in /opt/tomcat/conf/localhost-rsa-cert.pem

Don’t want to run this by hand every month?

SSLNudge checks Apache Tomcat endpoints daily and alerts you before expiry.

Monitor it free

Related errors

Tip: paste a hostname into the free SSL checker to see its expiry right now.