OpenSSL is an open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It is used to provide encryption and server authentication for Transmission Control Protocol (TCP) connections between client and server applications. OpenSSL allows us to check various SSL/TLS related information using OpenSSL commands. In this comprehensive guide, we’ll explore the essential OpenSSL commands to check certificates, their expiry dates, validity, and more.

Key Takeaways

• OpenSSL is a powerful toolkit for managing SSL/TLS certificates
• Checking certificate expiry dates is crucial for maintaining secure connections
• OpenSSL commands allow you to verify certificate validity, check connectivity, and ensure proper configuration
• Understanding the various OpenSSL commands can help troubleshoot SSL/TLS-related issues efficiently

OpenSSL Command to Check the Certificate Expiry Date

If you want to check the expiry date of a certificate in a more concise format, you can use the following command:

openssl x509 -in certificate.crt -enddate -noout -dates

The -dates option displays the expiry date in a simpler format, such as “notAfter=May 23 23:59:59 2023 GMT”.

OpenSSL Command to Check Connectivity

OpenSSL can also be used to check the connectivity to a remote server and verify the SSL/TLS configuration. The following command establishes a connection to a server and displays the certificate details:

openssl s\_client -connect example.com:443

Replace example.com with the domain or IP address of the server you want to connect to, and port 443 with the appropriate port number (default is 443 for HTTPS).

OpenSSL Command to Check Certificate Validity

To check the validity of a certificate, including its expiry date and other details, use the following command:

openssl x509 -in certificate.crt -text -noout -dates

This command combines the -text, -noout, and -dates options to provide a comprehensive overview of the certificate’s validity.

OpenSSL Command to Check SSL Certificate Expiry Date

To check the expiry date of an SSL certificate, you can use the same command as mentioned earlier:

openssl x509 -in certificate.crt -enddate -noout

The -enddate option displays the expiry date of the SSL certificate.

OpenSSL Command to Check Certificate and Key Match

When configuring SSL/TLS, it’s crucial to ensure that the certificate and private key match. To verify this, you can use the following command:

openssl x509 -noout -modulus -in certificate.crt | openssl md5  
openssl rsa -noout -modulus -in privatekey.key | openssl md5

The first command calculates the modulus of the certificate, while the second command calculates the modulus of the private key. If the output of both commands matches, it indicates that the certificate and key are a valid pair.

OpenSSL Command to Check Ciphers

OpenSSL allows you to check the supported ciphers of a server using the following command:

openssl s\_client -connect example.com:443 -cipher 'ALL:eNULL'

This command connects to the specified server and retrieves the list of supported ciphers.

OpenSSL Command to Check Certificate from URL

To check the certificate of a website directly from its URL, you can use the following command:

openssl s\_client -connect example.com:443 -servername example.com

Replace example.com with the desired domain name. This command establishes a connection to the server and retrieves the certificate information.

OpenSSL Command to Check TLS Version

To check the supported TLS versions of a server, use the following command:

openssl s\_client -connect example.com:443 -tls1\_2

This command connects to the server using the specified TLS version (/tls-1-3-overview/) (in this case, TLS 1.2). You can replace -tls1\_2 with other versions like -tls1\_1 or -tls1\_3 to check their support.

OpenSSL Command to Check Certificate Expiry Date

To check the expiry date of a certificate, you can use the following command:

openssl x509 -in certificate.crt -noout -enddate

This command displays the expiry date of the certificate in the format “notAfter=May 23 23:59:59 2023 GMT”.

OpenSSL Command to Check Certificate Details

To view the detailed information of a certificate, including its subject, issuer, validity period, and more, use the following command:

openssl x509 -in certificate.crt -text -noout

This command displays the certificate details in a human-readable format.

OpenSSL Command to Check Certificate Chain

To check the certificate chain of a server, you can use the following command:

openssl s\_client -connect example.com:443 -showcerts

This command connects to the server and retrieves the entire certificate chain, including the server certificate and any intermediate certificates.