Note: If you receive a default SSL certificate in place of the server certificate, check out this explanation of SNI (Server Name Indication). $ echo | openssl s_client -connect :443 2>/dev/null | openssl x509 -noout -dates # A valid certificate that hasn’t expired yet Below are examples for both a valid and an expired certificate. By piping the output into x509, you can obtain the certificate’s validity period by using the -dates flag. You already saw how s_client establishes a connection to a server in the previous example. There are plenty of monitoring tools to keep an eye on this and ensure that it doesn’t happen to you, but what if you just want to quickly check a certificate’s expiration date from the command line? OpenSSL has you covered.Ĭhecking the expiration date of a certificate involves a one-liner composed of two OpenSSL commands: s_client and x509. A practical introduction to container terminologyĮvery sysadmin has experienced the embarrassment that follows from allowing a certificate for a public-facing website to expire.
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
#Openssl print certificate verification#
Verification error: self signed certificate Peer certificate: C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.
Verify error:num=18:self signed certificate In this output, you can clearly see that the verification failed with an error: “self-signed certificate.” $ echo | openssl s_client -connect :443 -briefĭepth=0 C = US, ST = California, L = San Francisco, O = BadSSL, CN = *. Supported Elliptic Curve Point Formats: uncompressedĬontrast the above output with the example below. Peer certificate: C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Information Technology, CN = *. $ echo | openssl s_client -connect :443 -brief Without this, you would need to press Ctrl+C to quit the connection. Appending an echo to the one-liner sends a newline and immediately terminates the connection. Note that the "Verification" is output as "OK."īy default, openssl s_client will read from standard input for data to send to the remote server. The -brief flag excludes some of the more verbose output that OpenSSL would normally display. The example below shows a successfully verified certificate chain sent by a server () after a connection on port 443. One of the most common troubleshooting steps that you’ll take is checking the basic validity of a certificate chain sent by a server, which can be accomplished by the openssl s_client command. While many articles focus on the generation of certificate signing requests (CSRs) or self-signed certificates, this article will spend some time reviewing OpenSSL commands and one-liners beyond the certificate generation process. In this article, I demonstrate some of the most common commands that I use daily. The OpenSSL toolkit is the fundamental utility that any systems administrator must know if they are responsible for maintaining TLS-protected applications. Transport layer security (TLS) is an important part of any security strategy, and applications beyond web servers increasingly take advantage of the protections offered by public-key cryptography.
0 kommentar(er)
