The correct answer is 'openssl s_client -connect api.example.com:443' because by using the openssl s_client command with the -connect option followed by the hostname and the port, the administrator can establish a connection to the third-party API endpoint and retrieve the SSL certificate details, including its validity. This process is fundamental for ensuring that the certificate is not expired and that it is properly configured for secure communication. On the other hand, 'openssl x509 -in cert.pem -text' would be used to display the details of a certificate that is stored in a file which is not the correct method in this scenario since the administrator needs to check the certificate at the endpoint directly. The 'openssl req -new -key domain.key -out domain.csr' command generates a new Certificate Signing Request (CSR), not displaying an existing certificate. Lastly, 'openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem' is for creating a PKCS#12 file from a private key and certificate, which is unrelated to verifying a live SSL certificate from an endpoint.