Check SSL Certificate Data

Check SSL Certificate with OpenSSL

Estimated reading time: 5 minutes

If you want to verify SSL certificates on your server, OpenSSL is an essential tool in your Linux toolkit. OpenSSL is a robust command-line tool that lets you generate, manage, and validate SSL/TLS certificates to ensure secure communications. In this blog post, I’ll walk you through a few simple OpenSSL commands to check SSL certificates.

TL;DR: Quick Commands to Display Full Certificate Content

For a Certificate stored locally:

Replace /path/to/certificate.crt with the path to your local certificate file.

To check the content of a website’s certificates:

Replace example.com with the domain name of the website you’re checking.

What is OpenSSL?

OpenSSL is an open-source tool for encrypting and decrypting data, signing certificates, and much more. Its command-line utility offers various features for SSL/TLS certificates, including generating private keys, signing requests, and validating certificates. Its flexibility and power make OpenSSL the go-to choice for web administrators and developers.

Why Check SSL Certificates?

SSL certificates authenticate a server’s identity and encrypt data between the client and server, making data secure from interception. Validating certificates is essential to prevent man-in-the-middle attacks, expired certificates, or untrusted connections. Whether you’re securing a personal project or handling enterprise-level applications, checking SSL certificates periodically ensures your connection is trustworthy.

Checking SSL Certificates on Remote Servers

To check an SSL certificate, all you need is the OpenSSL tool and the proper commands. Here’s how to do it.

Check the Certificate Expiration Date

One of the first checks I recommend is verifying the certificate’s expiration date to ensure it’s still valid. You can do this with the following command:

Replace example.com with your domain. This command will return the certificate’s validity period, showing the start and end dates. Knowing these dates is critical for avoiding unexpected expiration and ensuring continuous secure connections.

Example:

Check the Certificate Expiration Date

Verify the Certificate Chain

A certificate chain, or certificate path, is the hierarchy that leads from the root Certificate Authority (CA) to the server’s SSL certificate. Ensuring the integrity of this chain is essential for trustworthiness. Here’s how you can check it:

This command outputs the server’s certificate chain. If any certificates in the chain are missing or improperly configured, it can cause browsers to flag the site as insecure.

Check SSL Certificate Details

You can retrieve detailed information about the SSL certificate, including the issuer, subject, and algorithms used, with a single command:

Replace certificate.crt with the path to your certificate file if you’re checking a local certificate. This command is useful for identifying certificate properties and understanding more about its configuration and origin.

Validate SSL Certificate’s Domain Name

To ensure that the SSL certificate matches the intended domain, you can use OpenSSL to check the certificate’s common name (CN) or Subject Alternative Name (SAN):

This command displays the domain name associated with the certificate. Verifying that the domain name matches ensures that you’re connecting to the right server.

Test SSL/TLS Protocols and Cipher Suites

OpenSSL allows you to test the SSL/TLS protocols and cipher suites the server supports. For example:

You can modify this command by changing -tls1_2 to -tls1_1 or -tls1_3 to test for different protocol versions. Testing these helps confirm that the server enforces up-to-date security standards.

For a more comprehensive test, try SSL Labs’ online SSL test to analyze protocols, cipher suites, and other security settings.

Checking Local SSL Certificates

If you have a local SSL certificate file and need to verify its contents or check for expiration, OpenSSL makes it simple. Here’s how:

Check the Expiration Date of a Local Certificate

To check the validity period of a local certificate file:

Replace /path/to/certificate.crt with the actual path to your certificate file. This command outputs the start and end dates of the certificate, helping you ensure it’s still valid.

View Detailed Certificate Information

To retrieve detailed information from a local certificate, including issuer, subject, and algorithm details, use:

This command provides a full breakdown of the certificate’s details, which can be useful for understanding its origins and configuration.

Verify the Certificate’s Common Name and SAN

To verify the domain names associated with a local certificate:

This command outputs the certificate’s subject and issuer, allowing you to check that the certificate is associated with the correct domain and trusted authority.

Check the Certificate’s Signature Algorithm

To see the signature algorithm used in the local certificate, use:

Signature algorithms indicate the security strength of the certificate. RSA and ECDSA are common choices, and keeping these up-to-date ensures your certificate meets modern security standards.

Additional OpenSSL Commands for SSL Certificate Management

OpenSSL is packed with other useful commands for managing SSL certificates:

To convert certificate formats:

To generate a CSR (Certificate Signing Request):

These commands give you even more flexibility for SSL certificate management. Whether you’re generating new certificates, converting formats, or signing requests, OpenSSL has a command for every scenario.

Conclusion

Using OpenSSL to check SSL certificates is an effective way to ensure your connections are secure. With commands that verify certificate validity, chain integrity, domain name matching, and supported protocols, OpenSSL provides everything you need to maintain a secure server. Keeping SSL certificates up-to-date and validated not only protects your data but also builds trust with users.

Further Reading

Leave a Reply

Your email address will not be published. Required fields are marked *