-enddate outputs in rfc_822 standard by default, so GNU date command can read it if you cut notAfter= characters:
$ openssl x509 -enddate -noout -in cert.pem | cut -c10- | date +%s -f -1868282453Newer versions of OpenSSL support printing in -dateopt iso_8601 format, which is at least alphabetically sortable
OpenSSL does have a seconds-till-expired check built in, but it's a true/false output:
$ openssl x509 -checkend 2592000 -noout -in cert.pem || echo "cert expires in 30 days!"