How to utilize openssl in Linux to check SSL certificate details

SSL certificates are an integral element in securing information and connectivity to different methods. Study recommendations on how you need to use the Linux openssl command to seek out important certificates particulars.

istock-689019766-1.jpg

Picture: Getty Photos/iStockphoto

Administering SSL certificates could be fairly a chore, particularly when it comes time to resume or substitute them. Expiring SSL certificates could be devastating for technological operations, with the affect starting from worrisome browser error messages to finish manufacturing outages. Subsequently, it is vital to not solely keep watch over upcoming SSL certificates expirations (community scans or on the very least a log protecting monitor of those certificates are important) however to fully confirm the success of renewing/changing these certificates.

SEE: 5 Linux server distributions you have to be utilizing (TechRepublic Premium)

Certificates information in Linux are usually within the /and so on/pki/tls/certs folder or probably inside an application-specific folder corresponding to /and so on/httpd for Apache (relying on the whim of the individual or vendor who configured/constructed the appliance). These usually use .pem or .crt extensions and can doubtless be named ‘(hostname).pem’ ‘(hostname).crt’, however typically the generic “server” file title is used as nicely.

The openssl command is a veritable Swiss Military knife of features you need to use to manage your certificates. To instance the main points of a selected certificates, run the next command:

openssl x509 -in (path to certificates and certificates filename) -text -noout

You will note output just like the next. The Issuer, Topic, Not Earlier than/Observe After and Topic Different Names fields can have essentially the most helpful particulars:

Certificates:
Knowledge:
Model: 3 (0x2)
Serial Quantity:
11:00:00:05:16:07:eb:1b:1d:9f:88:81:98:00:00:00:00:05:16
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=int, DC=dev, CN=dev issuing low 01
Validity
Not Earlier than: Mar 19 15:32:02 2021 GMT
Not After : Mar 19 15:42:02 2022 GMT
Topic: C=US, ST=MA, L=Boston, O=Contoso, OU=Techniques, CN=check.contoso.com
Topic Public Key Information:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:0d:7a:8c:55:54:4f:ef:67:a7:a0:54:de:8f:
bd:6c:cd:fe:e5:01:22:40:90:df:39:97:5a:f6:76:
c1:d9:00:d7:88:7e:7b:63:65:99:59:be:08:4a:3c:
2b:63:13:0d:42:3e:95:9d:cf:2f:2e:48:35:0e:9c:
6c:3f:b5:fd:75:4f:7c:86:34:80:c1:86:be:bf:0e:
0a:da:a7:eb:8b:97:9f:29:34:1b:fa:c8:b4:f5:57:
ec:98:a9:d1:d4:dc:07:6e:e0:14:51:a3:7a:5e:1c:
b4:e6:a1:14:01:59:a3:a3:04:f0:75:0c:2e:6f:34:
2c:72:a8:51:09:0d:advert:53:f4:34:58:ab:23:01:b8:
51:1a:2c:c3:3f:e2:75:4e:8d:55:9a:2b:60:c4:60:
67:7e:e9:82:78:73:fe:fc:38:a3:1f:1b:30:f7:46:
95:4f:88:b1:97:e1:6d:f6:85:3c:79:37:f5:47:44:
66:16:advert:3a:f2:fc:ce:db:a4:0c:second:6d:1e:9e:20:
b9:b5:eb:ba:de:93:3a:02:a7:80:3f:f5:ca:21:d2:
b1:34:56:ba:95:df:0f:3a:f5:fa:83:96:fe:aa:51:
20:9d:20:d5:b2:85:24:90:ea:c7:cd:5d:a2:e7:a5:
ff:c3:d2:23:f9:ba:8c:advert:37:8b:8f:84:advert:22:04:
fc:second
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Utilization: important
Digital Signature, Key Encipherment
X509v3 Prolonged Key Utilization:
TLS Net Server Authentication
X509v3 Topic Different Identify:
DNS:check.contoso.com, DNS:testhost.contoso.com
X509v3 Topic Key Identifier:
93:F0:A5:5F:72:91:05:67:84:42:D2:0B:A1:48:54:8E:4E:BB:E0:A0
X509v3 Authority Key Identifier:
keyid:7D:F8:78:35:EE:A6:43:93:EF:E6:92:79:C9:15:49:12:51:77:EB:BB

X509v3 CRL Distribution Factors:

Full Identify:
URI:ldap:///CN=devpercent20issuingpercent20lowpercent2001,CN=ca1,CN=CDP,CN=Publicpercent20Keypercent20Services,CN=Providers,CN=Configuration,DC=dev,DC=int?certificateRevocationList?base?objectClass=cRLDistributionPoint

Authority Data Entry:
CA Issuers – URI:ldap:///CN=devpercent20issuingpercent20lowpercent2001,CN=AIA,CN=Publicpercent20Keypercent20Services,CN=Providers,CN=Configuration,DC=dev,DC=int?cACertificate?base?objectClass=certificationAuthority

1.3.6.1.4.1.311.20.2:
…W.e.b.S.e.r.v.e.r
Signature Algorithm: sha256WithRSAEncryption
76:d6:6e:35:53:71:3b:1b:f6:12:23:b5:14:e2:73:c9:e7:d0:
68:e7:37:ab:35:bc:fc:e5:41:75:f1:84:11:20:ce:84:94:dc:
86:1d:11:7a:bd:a0:5a:8a:3b:ac:fc:f1:4d:5f:3a:3f:88:a8:
ff:advert:2e:2a:3f:91:a3:d5:28:f2:84:87:b6:17:62:a6:d2:d2:
25:34:e3:6d:c0:3b:93:f1:a2:22:8e:80:a1:fe:54:65:d6:10:
da:78:4b:0a:f7:eb:75:d5:9d:17:0b:87:8f:5c:second:39:49:59:
b7:e6:b1:4a:c2:f0:de:68:6a:36:56:85:16:a4:01:46:21:b6:
49:33:0b:4a:ec:c5:69:6b:fa:ea:d7:d4:95:e1:f4:second:17:c5:
advert:bd:1f:b6:73:cd:6c:ae:5d:advert:ed:0f:82:ed:43:1c:0e:ed:
54:93:83:d8:76:45:d6:45:3d:10:17:f4:eb:8a:84:e8:9a:9c:
c6:5c:92:df:2e:c0:64:6d:03:78:cd:59:dd:f3:e6:bb:5c:ac:
c0:9b:55:3f:a5:b6:12:90:0c:ea:e1:05:37:6b:19:86:53:f1:
83:d7:0b:23:6d:fe:5b:c8:2f:22:e3:b5:6a:bf:cd:45:27:62:
d8:1b:1c:a9:be:be:71:0c:07:bd:d3:c2:a4:63:1e:eb:7f:22:
31:3a:8b:25 

It is also equally helpful to run a test towards the port related to an SSL certificates (e.g., 443 for an online server). You may run this command to test the expiration date of a certificates. I extremely advocate working this earlier than and after changing or renewing an SSL certificates to substantiate success. Observe that when changing utility associated certificates (corresponding to for Apache) you will doubtless have to restart the appliance or it to select up the brand new certificates.

Both use this command on the host system itself or run it remotely towards that system, substituting for “localhost” the absolutely certified area title (FQDN) of the host you want to test and altering the port 443 as wanted to match the open port related to the SSL certificates.

openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates

It is best to obtain output just like the next:

Not Earlier than: Mar 19 15:32:02 2021 GMT
Not After : Mar 19 15:42:02 2022 GMT  

This script under can be used to extrapolate much more particulars a few certificates and as above can be utilized domestically or remotely. 

I name it ssl_validate.sh, however you may copy the contents into a brand new script file with no matter title you want, use chmod +x to make it executable, after which use it with the next syntax:

./ssl_validate.sh (or whichever script title you select) server.firm.com:443, the place “server.firm.com” is the absolutely certified area title (FQDN) of the host you want to test and 443 is the port it is listening on related to the SSL certificates.

You might want to guarantee you have got a path to that server and port corresponding to via authorised firewall entries.

The script will return output just like the next to show essentially the most salient particulars of the SSL certificates:

server.firm.com:443  ;  SSL  ;  CN: (CN of the SSL certificates) ;  Topic (Topic of the SSL certificates)  ;  Issuer: (Issuer of the SSL certificates)   ;  notBefore: (Creation date of the SSL certificates) ;  notAfter: (Expiration date of the SSL certificates)  ;  DaysUntilExpiration: (Days remaining till the SSL certificates expires)  ;  Errors:  (Any associated errors with the SSL certificates)

The script begins under:

delim=” ; “

export delim

serverport=${1}

export serverport

echo “#${serverport}”

date_today=$(date +%F)

datediff() {

    d1=$(date -d “$1” +%s)

    d2=$(date -d “$2” +%s)

    echo $(( (d1 – d2) / 86400 )) days

}

export -f datediff

sslscan() {

        native sp=${1}

tls_content=$(echo “Q” | openssl s_client -showcerts -connect ${serverport} 2>&1)

        if [[ “$?” == 0 ]]; then

                tls_errors=$(echo “${tls_content}” | grep -i error )

                tls_cert_subject=$(echo “${tls_content}” | openssl x509 -noout -subject )

                tls_cert_issuer=$(echo “${tls_content}” | openssl x509 -noout -issuer )

                tls_cert_cn=$(echo “${tls_content}” | openssl x509 -noout -subject | sed -e “s/.*CN=([^/]*).*/1/” )

                tls_cert_dates=$(echo “${tls_content}” | openssl x509 -noout -dates )

                tls_cert_notafter_date=$(echo “${tls_cert_dates}” | grep notAfter |sed -e “s/notAfter=//” | tr -d ‘n’)

                tls_cert_notbefore_date=$(echo “${tls_cert_dates}” | grep notBefor |sed -e “s/notBefore=//” | tr -d ‘n’)

                tls_cert_datediff=$(datediff “${tls_cert_notafter_date}” “${date_today}”)

                echo -n “${serverport} ${delim} SSL”

                echo -n ” ${delim} CN:”

                echo -n ” ${tls_cert_cn}”

                echo -n ” ${delim} Topic:”

                echo -n ” ${tls_cert_subject}”

                echo -n ” ${delim} Issuer:”

                echo -n ” ${tls_cert_issuer}”

                echo -n ” ${delim} notBefore:”

                echo -n ” ${tls_cert_notbefore_date}”

                echo -n ” ${delim} notAfter:”

                echo -n ” ${tls_cert_notafter_date}”

                echo -n ” ${delim} DaysUntilExpiration:”

                echo -n ” ${tls_cert_datediff}”

                echo -n ” ${delim} Errors:”

                echo -n ” ${tls_errors}”

                echo

        else

                tls_errors=$(echo “${tls_content}” | tr ‘n’ ‘/’ | tr ‘ ‘ ‘_’ )

                standing=”ERROR: ${tls_errors}”

                echo -n “${serverport} ${delim} ${standing}”

                echo

        fi

}

export -f sslscan

timeout 3 bash -c “sslscan ${serverport}”

if [[ $? != 0 ]]; then

        echo -n “${serverport} ${delim} ERROR: CONNECTION_TIMED_OUT”

        echo

fi

Additionally see

Recent Articles

spot_img

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox