A Complete Guide to Using OpenSSL Commands for Certificate Checking
OpenSSL is an open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It is used to provide encryption and server authentication for Transmission Control Protocol (TCP) connections between client and server applications. OpenSSL allows us to check various SSL/TLS related information using OpenSSL commands. In this comprehensive guide, we’ll explore the essential OpenSSL commands to check certificates, their expiry dates, validity, and more.
Key Takeaways
- OpenSSL is a powerful toolkit for managing SSL/TLS certificates
- Checking certificate expiry dates is crucial for maintaining secure connections
- OpenSSL commands allow you to verify certificate validity, check connectivity, and ensure proper configuration
- Understanding the various OpenSSL commands can help troubleshoot SSL/TLS-related issues efficiently
OpenSSL Command to Check the Certificate Expiry Date
If you want to check the expiry date of a certificate in a more concise format, you can use the following command:
openssl x509 -in certificate.crt -enddate -noout -dates
The -dates option displays the expiry date in a simpler format, such as “notAfter=May 23 23:59:59 2023 GMT”.
OpenSSL Command to Check Connectivity
OpenSSL can also be used to check the connectivity to a remote server and verify the SSL/TLS configuration. The following command establishes a connection to a server and displays the certificate details:
openssl s_client -connect example.com:443
Replace example.com with the domain or IP address of the server you want to connect to, and port 443 with the appropriate port number (default is 443 for HTTPS).
OpenSSL Command to Check Certificate Validity
To check the validity of a certificate, including its expiry date and other details, use the following command:
openssl x509 -in certificate.crt -text -noout -dates
This command combines the -text, -noout, and -dates options to provide a comprehensive overview of the certificate’s validity.
OpenSSL Command to Check SSL Certificate Expiry Date
To check the expiry date of an SSL certificate, you can use the same command as mentioned earlier:
openssl x509 -in certificate.crt -enddate -noout
The -enddate option displays the expiry date of the SSL certificate.
OpenSSL Command to Check Certificate and Key Match
When configuring SSL/TLS, it’s crucial to ensure that the certificate and private key match. To verify this, you can use the following command:
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privatekey.key | openssl md5
The first command calculates the modulus of the certificate, while the second command calculates the modulus of the private key. If the output of both commands matches, it indicates that the certificate and key are a valid pair.
OpenSSL Command to Check Ciphers
OpenSSL allows you to check the supported ciphers of a server using the following command:
openssl s_client -connect example.com:443 -cipher 'ALL:eNULL'
This command connects to the specified server and retrieves the list of supported ciphers.
OpenSSL Command to Check Certificate from URL
To check the certificate of a website directly from its URL, you can use the following command:
openssl s_client -connect example.com:443 -servername example.com
Replace example.com with the desired domain name. This command establishes a connection to the server and retrieves the certificate information.
OpenSSL Command to Check TLS Version
To check the supported TLS versions of a server, use the following command:
openssl s_client -connect example.com:443 -tls1_2
This command connects to the server using the specified TLS version (in this case, TLS 1.2). You can replace -tls1_2 with other versions like -tls1_1 or -tls1_3 to check their support.
OpenSSL Command to Check Certificate Expiry Date
To check the expiry date of a certificate, you can use the following command:
openssl x509 -in certificate.crt -noout -enddate
This command displays the expiry date of the certificate in the format “notAfter=May 23 23:59:59 2023 GMT”.
OpenSSL Command to Check Certificate Details
To view the detailed information of a certificate, including its subject, issuer, validity period, and more, use the following command:
openssl x509 -in certificate.crt -text -noout
This command displays the certificate details in a human-readable format.
OpenSSL Command to Check Certificate Chain
To check the certificate chain of a server, you can use the following command:
openssl s_client -connect example.com:443 -showcerts
This command connects to the server and retrieves the entire certificate chain, including the server certificate and any intermediate certificates.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.