How to check the details of an ssl certificate

Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"

Top Level » SSL

How to check the details of an ssl certificateLast Modified: Dec 19, 2017, 3:50 pm
If you're not sure if the certificate you're using is new, old, or what info is in it, you can use the "openssl" command with the 509 option to get you more info on a certificate, eg:

[root@server]# openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout
       Version: 3 (0x2)
       Serial Number: 0 (0x0)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: C=US, ST=Someprovince, L=Sometown, O=none, OU=none,
           Not Before: Jul  7 05:58:09 2009 GMT
           Not After : Nov 21 05:58:09 2036 GMT
       Subject: C=US, ST=Someprovince, L=Sometown, O=none, OU=none,
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
               Exponent: 65537 (0x10001)
   Signature Algorithm: md5WithRSAEncryption

Similarly, you can manually connect to a remote (eg: )host to check if a certificate is self-signed or not:

openssl s_client -servername -host -port 443 | grep 'Verify return code'

where the output might look like:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN =
verify return:1
   Verify return code: 0 (ok)

where we'd take note of the Verify return code: 0 (ok) status.  The "code: 0" is good, it means the certificate is correctly signed by a certificate authority.  I usually type "QUIT" to exit the current connection (this is a client connection to Apache, so you could create a request here).  Else some systems might need ctrl-d to send an "end-of-file" character to close it.

But if you see:

Verify return code: 18 (self signed certificate)

then it means the certificate could be self-signed (you created the cert/key yourself), or the ca root bundle or chain have not been correctly installed.
Related Helpfiles
How to check the details of a certificate request

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST