Estimated reading time: 5 minutes
If you want to verify SSL certificates on your server, OpenSSL is an essential tool in your Linux toolkit. OpenSSL is a robust command-line tool that lets you generate, manage, and validate SSL/TLS certificates to ensure secure communications. In this blog post, I’ll walk you through a few simple OpenSSL commands to check SSL certificates.
TL;DR: Quick Commands to Display Full Certificate Content
For a Certificate stored locally:
openssl x509 -in /path/to/certificate.crt -text -noout
Replace /path/to/certificate.crt
with the path to your local certificate file.
To check the content of a website’s certificates:
openssl s_client -connect example.com:443 -servername example.com | openssl x509 -text -noout
Replace example.com
with the domain name of the website you’re checking.
Table of contents
What is OpenSSL?
OpenSSL is an open-source tool for encrypting and decrypting data, signing certificates, and much more. Its command-line utility offers various features for SSL/TLS certificates, including generating private keys, signing requests, and validating certificates. Its flexibility and power make OpenSSL the go-to choice for web administrators and developers.
Why Check SSL Certificates?
SSL certificates authenticate a server’s identity and encrypt data between the client and server, making data secure from interception. Validating certificates is essential to prevent man-in-the-middle attacks, expired certificates, or untrusted connections. Whether you’re securing a personal project or handling enterprise-level applications, checking SSL certificates periodically ensures your connection is trustworthy.
Checking SSL Certificates on Remote Servers
To check an SSL certificate, all you need is the OpenSSL tool and the proper commands. Here’s how to do it.
Check the Certificate Expiration Date
One of the first checks I recommend is verifying the certificate’s expiration date to ensure it’s still valid. You can do this with the following command:
openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -dates
Replace example.com
with your domain. This command will return the certificate’s validity period, showing the start and end dates. Knowing these dates is critical for avoiding unexpected expiration and ensuring continuous secure connections.
Example:
Verify the Certificate Chain
A certificate chain, or certificate path, is the hierarchy that leads from the root Certificate Authority (CA) to the server’s SSL certificate. Ensuring the integrity of this chain is essential for trustworthiness. Here’s how you can check it:
openssl s_client -showcerts -connect example.com:443
This command outputs the server’s certificate chain. If any certificates in the chain are missing or improperly configured, it can cause browsers to flag the site as insecure.
Check SSL Certificate Details
You can retrieve detailed information about the SSL certificate, including the issuer, subject, and algorithms used, with a single command:
openssl x509 -in certificate.crt -text -noout
Replace certificate.crt
with the path to your certificate file if you’re checking a local certificate. This command is useful for identifying certificate properties and understanding more about its configuration and origin.
Validate SSL Certificate’s Domain Name
To ensure that the SSL certificate matches the intended domain, you can use OpenSSL to check the certificate’s common name (CN) or Subject Alternative Name (SAN):
openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -subject
This command displays the domain name associated with the certificate. Verifying that the domain name matches ensures that you’re connecting to the right server.
Test SSL/TLS Protocols and Cipher Suites
OpenSSL allows you to test the SSL/TLS protocols and cipher suites the server supports. For example:
openssl s_client -connect example.com:443 -tls1_2
You can modify this command by changing -tls1_2
to -tls1_1
or -tls1_3
to test for different protocol versions. Testing these helps confirm that the server enforces up-to-date security standards.
For a more comprehensive test, try SSL Labs’ online SSL test to analyze protocols, cipher suites, and other security settings.
Checking Local SSL Certificates
If you have a local SSL certificate file and need to verify its contents or check for expiration, OpenSSL makes it simple. Here’s how:
Check the Expiration Date of a Local Certificate
To check the validity period of a local certificate file:
openssl x509 -in /path/to/certificate.crt -noout -dates
Replace /path/to/certificate.crt
with the actual path to your certificate file. This command outputs the start and end dates of the certificate, helping you ensure it’s still valid.
View Detailed Certificate Information
To retrieve detailed information from a local certificate, including issuer, subject, and algorithm details, use:
openssl x509 -in /path/to/certificate.crt -text -noout
This command provides a full breakdown of the certificate’s details, which can be useful for understanding its origins and configuration.
Verify the Certificate’s Common Name and SAN
To verify the domain names associated with a local certificate:
openssl x509 -in /path/to/certificate.crt -noout -subject -issuer
This command outputs the certificate’s subject and issuer, allowing you to check that the certificate is associated with the correct domain and trusted authority.
Check the Certificate’s Signature Algorithm
To see the signature algorithm used in the local certificate, use:
openssl x509 -in /path/to/certificate.crt -noout -text | grep "Signature Algorithm"
Signature algorithms indicate the security strength of the certificate. RSA and ECDSA are common choices, and keeping these up-to-date ensures your certificate meets modern security standards.
Additional OpenSSL Commands for SSL Certificate Management
OpenSSL is packed with other useful commands for managing SSL certificates:
To convert certificate formats:
openssl x509 -in cert.pem -out cert.der -outform DER
To generate a CSR (Certificate Signing Request):
openssl req -new -key private.key -out request.csr
These commands give you even more flexibility for SSL certificate management. Whether you’re generating new certificates, converting formats, or signing requests, OpenSSL has a command for every scenario.
Conclusion
Using OpenSSL to check SSL certificates is an effective way to ensure your connections are secure. With commands that verify certificate validity, chain integrity, domain name matching, and supported protocols, OpenSSL provides everything you need to maintain a secure server. Keeping SSL certificates up-to-date and validated not only protects your data but also builds trust with users.