Table of Contents

,

Openssl commands

Get cert expiration date from cert file

 openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/cert.pem

Verfiy certs

 openssl verify -CAfile certs/rootCA.crt certs/client.crt
 openssl verify -CAfile certs/rootCA.crt certs/server.crt

Query site for expiration date

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -issuer

Determine a Key Size from

Private Key

 openssl rsa -in secret.key -text -noout | grep "Private-Key"

Public Key

 openssl pkey -inform PEM -pubin -in pub.key -text -noout

Display the contents of a PEM formatted certificate

 openssl x509 -in example.com.pem -text

Test explicit TLS with FTPS server

 openssl s_client -starttls ftp -connect localhost:21

Get cert file from site

openssl s_client -connect example.com:443 -servername example.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout

-connect can be the IP address of a server and is not necessarily the same as the -servername. Use -servername when sharing multiple SSL hosts on a single IP address,

Get OCSP stapling info

echo QUIT | openssl s_client -servername www.example.com:443 -connect xx.xxx.xxx.xx:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

Check if certificate is valid with private key

If you get an error like 

Oct 23 17:55:05 hpb01-rp nginx[2837]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/some.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Check certificate and private key 

openssl x509 -in /path/to/yourdomain.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/your.key -noout -modulus | openssl sha1

You need to get the same sha sum from both commands.

Additional commands that can be used to inspect Certificates

The openssl x509 utility also allows you to extract specific pieces of information from the certificate file instead of the entire content of a certificate in text. 

openssl x509 -in google.com-cert -noout -serial
openssl x509 -in google.com-cert -noout -issuer
openssl x509 -in google.com-cert -noout -dates
openssl x509 -in google.com-cert -noout -subject
openssl x509 -in google.com-cert -noout -pubkey
openssl x509 -in google.com-cert -noout -modulus
openssl x509 -in google.com-cert -noout -ocsp_uri

Note: Last command may not work in all versions of OpenSSL

You can also mix and match arguments from the last step: 

openssl x509 -in google.com-cert -noout -subject -issuer
openssl x509 -in google.com-cert -noout -serial -dates

You can also request specific extensions from the certificate: 

openssl x509 -in google.com-cert -noout -ext subjectAltName 
openssl x509 -in google.com-cert -noout -ext basicConstraints
openssl x509 -in google.com-cert -noout -ext crlDistributionPoints
openssl x509 -in google.com-cert -noout -ext keyUsage
openssl x509 -in google.com-cert -noout -ext extendedKeyUsage
openssl x509 -in google.com-cert -noout -ext authorityInfoAccess
openssl x509 -in google.com-cert -noout -ext subjectKeyIdentifier
openssl x509 -in google.com-cert -noout -ext authorityKeyIdentifier

See also

References