OpenSSL

Request a ssl certificate from a host and check its validity againt the root CA's

echo Q | openssl s_client -connect technoid.nl:443 -servername technoid.nl -CAfile /etc/ca-certificates/extracted/ca-bundle.trust.crt -showcerts -verify 1

check when a ssl certificate expires

openssl x509 -noout -enddate -in /etc/certs/cert.pem