How to check the details of an ssl certificate


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » SSL

How to check the details of an ssl certificateLast Modified: Dec 19, 2017, 3:50 pm
If you're not sure if the certificate you're using is new, old, or what info is in it, you can use the "openssl" command with the 509 option to get you more info on a certificate, eg:

[root@server]# openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 0 (0x0)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: C=US, ST=Someprovince, L=Sometown, O=none, OU=none, CN=server.host.com/emailAddress=webaster@localhost
       Validity
           Not Before: Jul  7 05:58:09 2009 GMT
           Not After : Nov 21 05:58:09 2036 GMT
       Subject: C=US, ST=Someprovince, L=Sometown, O=none, OU=none, CN=server.host.com/emailAddress=webaster@localhost
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:98:32:24:b9:13:30:7b:97:6f:dc:35:c2:a0:e8:
                   58:de:9f:88:d2:b0:86:1c:b9:67:1f:7d:b1:28:6c:
                   b8:52:47:f0:14:32:4c:36:62:14:a7:bf:d1:d1:47:
                   ed:bc:63:60:c7:ee:3c:22:58:69:4f:b4:93:8c:3e:
                   f5:02:54:85:70:24:c6:3e:b1:67:90:50:ab:18:64:
                   60:b2:46:e1:19:d3:b7:34:7b:48:c6:6b:bb:da:56:
                   54:92:c0:2e:39:81:f7:94:af:3d:51:2c:cf:4a:86:
                   9e:0c:30:60:82:6b:34:f6:9b:e4:01:9c:39:1b:4f:
                   68:61:fa:5f:7e:cc:f6:e0:ed
               Exponent: 65537 (0x10001)
   Signature Algorithm: md5WithRSAEncryption
       20:86:28:65:d5:fe:d2:a9:0c:f9:c3:24:51:ff:de:ff:11:6e:
       ec:b4:dc:b1:11:70:cb:37:52:45:e7:cb:f3:e9:e1:b3:3a:5d:
       20:8b:49:07:43:a4:da:b8:17:bf:4b:84:89:d7:0e:18:34:b3:
       0c:c2:0c:cd:56:2b:9e:e1:e0:6a:c4:7d:fc:3f:3e:89:8a:a5:
       c9:a5:1a:1c:2c:7d:74:1c:34:54:b1:8b:36:2d:91:b6:38:79:
       ad:e5:14:53:d2:32:ce:ee:89:ef:60:f3:98:0f:38:79:e3:07:
       f5:e5:a5:ff:8f:6b:74:46:4c:89:7e:33:0e:66:cf:34:3b:c1:
       e3:79

Similarly, you can manually connect to a remote (eg: )host to check if a certificate is self-signed or not:

openssl s_client -servername server.host.com -host server.host.com -port 443 | grep 'Verify return code'

where the output might look like:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = server.host.com
verify return:1
   Verify return code: 0 (ok)
QUIT
DONE

where we'd take note of the Verify return code: 0 (ok) status.  The "code: 0" is good, it means the certificate is correctly signed by a certificate authority.  I usually type "QUIT" to exit the current connection (this is a client connection to Apache, so you could create a request here).  Else some systems might need ctrl-d to send an "end-of-file" character to close it.

But if you see:

Verify return code: 18 (self signed certificate)

then it means the certificate could be self-signed (you created the cert/key yourself), or the ca root bundle or chain have not been correctly installed.
 
Related Helpfiles
How to check the details of a certificate request

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST