Just writing down some common openssl command I often find myself using. One day this collection might be more complete and better organized. For now, it’s just this.
Some common options when viewing a certificate with openssl x509
Read a file that contains multiple certificates, printing details about each one.
while openssl x509 -noout -serial -dates -subject -nameopt multiline ; do : ; done < /path/to/file-with-multiple-certs.crt
-serial: prints the certificates serial-dates: prints the valid to and from dates-subject: prints the certificate subject-nameopt multiline: causes the names to printed on mulitple lines instead of a single long line
Verify a certificate is valid using a specific root.
openssl verify \
-trusted files/certs/root-ca.pem \
-untrusted files/certs/intermediate-1.pem \
-untrusted files/certs/intermediate-1.pem \
-show_chain \
files/server.crt
note: the
-untrustedhere is to include the certificate in the chain, but does not trust it. this would be the certificates that your server is configured to serve up in it’s chain. so, all authorities that hav signed it up to but *not including the root certificate.
Check that the certificate, and chain, being served is valid
openssl s_client \
-CAfile files/certs/root-ca.pem \
-servername www.example.com \
-connect www.example.com:443 2>&1 < /dev/null
-CAfilehere is to specific a specific root certificate to use. if the expected root is in your local truststore, you can omit this.