refCLI

View the Contents of an SSL Certificate

openssl x509 -text -noout -in cert.pem

View the SSL Certificate of a Remote Server

View the SSL certificate for any protocol using SSL/TLS with the following command:

openssl s_client -showcerts -connect FQDN:PORT

To see more documentation on s_client run the following command:

man s_client

Verify SSL Certificate Chain

bundle.pem could contain Intermediate Certificate(s) and/or a Root Certificate provided by your Certificate Authority.

openssl verify -CAfile bundle.pem cert.pem

Verify a Private Key is Valid

Output will be RSA key ok if the Private Key is valid.

openssl rsa -check -noout -in key.pem

Verify a Private Key Matches the Signed SSL Certificate

If the hash outputted by each of the following commands match, then the Private Key signed the SSL certificate.

openssl x509 -modulus -noout -in cert.pem | openssl sha256

openssl rsa -modulus -noout -in key.pem | openssl sha256

Same commands but in a single line with string matching:

[[ "$(openssl x509 -modulus -noout -in cert.pem | openssl sha256)" == "$(openssl rsa -modulus -noout -in key.pem | openssl sha256)" ]] && echo "MATCH" || echo "NO MATCH"

Send Specific Cipher Suites to an Endpoint

If your server can serve different TLS certificates based on the cipher suites supported by the client, verify each type of TLS certificate is being served with the following commands.

Connect with TLS 1.2 and only send RSA cipher suites:

echo | openssl s_client -tls1_2 -cipher aRSA -servername "$HOSTNAME" -connect "$HOSTNAME":443 2>/dev/null

Connect with TLS 1.2 and only send ECDSA cipher suites:

echo | openssl s_client -tls1_2 -cipher aECDSA -servername "$HOSTNAME" -connect " $HOSTNAME":443 2>/dev/null

Create a Self-Signed Certificate Authority and Server Certificate

Generate a Private Key for the Root Certificate (you will be prompted to input a passphrase):

openssl genrsa -des3 -out myCA.key 2048

Generate a Root Certificate (you will be prompted for the passphrase of the previously created Private Key):

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

Generate a Private Key for the Server CSR:

openssl genrsa -out server.key 2048

Create the Server CSR:

openssl req -new -key server.key -out server.csr

Create the Certificate Extension Config by creating file server.ext with the following contents:

subjectAltName = @alt_names

[alt_names]
DNS.1 = self-signed.example.com

Finally, create the Server Certificate with Extensions:

openssl x509 -req -in server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext

Read the Server Certificate to verify it was created as desired:

openssl x509 -text -noout -in server.crt

Extract the Private Key from a PFX File

openssl pkcs12 -in file.pfx -nocerts -out key.pem

If the Private Key is password protected, remove the password with the following command:

openssl rsa -in key.pem -out key-nopass.pem

Extract the Public Certificate Chain from a PFX File

openssl pkcs12 -in file.pfx -nokeys -out certs.pem

Shell Script: Check SSL Certificate Serial Number, Issuer, Issue and Expiry Dates, Subject, and Subject Alternate Names

Create file certcheck.sh with the following content:

#!/bin/bash

hostname="$1"

echo | openssl s_client -showcerts -servername "$hostname" -connect "$hostname":443 2>/dev/null | openssl x509 -serial -issuer -dates -subject -ext subjectAltName -noout

Set the executable permission:

chmod +x certcheck.sh

Run the script with the following command:

./certcheck.sh www.example.com

References

• Verify a certificate chain using openssl verify
• Understanding PFX File with Examples
• Create Your Own SSL Certificate Authority for Local HTTPS Development
• Fetch with s_client over TLS 1.3 explicitly the RSA certificate