Useful OpenSSL Commands
During the work with ssl/tls certificates on the command line, it often happens that you need to read out some attributes. To do this the most modern Linux distrubtions includes the openssl application by default. This cool program alows us to read in the certificate from a remote server or from a .pem file. But perhaps that is not the main goal of the libary, it delivers much more features like the generation of certificates itself or the generation of signing requests as example. Perhaps the best description of the functions would by everything what has to do with native SSL/TLS certificate actions is included.
Readout SAN (Subject Alternative Name) // Aliases
Most certificates which are used for websites or other applications has multiple addresses listed inside the certificate. To do this the SAN (Subject Alternative Name) attribute was added to specify more names besides the common name.
$ openssl x509 -in pubkey.pem -text -noout | grep DNS | sed "s/, /\n/g" | sed "s/ //g"
Readout EOL
Every certificate has a predefined and known expiration date. To monitor this or to check it we can view this date with the command below:
$ openssl x509 -in pubkey.pem -dates -noout
Readout from Remote Server
Sometimes we want to check a certificate from a running service or from another server. To do this openssl has a client included. The example below connects to the webserver which is listening under the DNS Address “thomasweigold.de”, and specify the virtual servername to www.thomasweigold.de. This is useful if the webserver serve different vHosts and we want the certificate of a specific one.
# Read the remote certificate from server
$ openssl s_client -connect thomasweigold.de:443 -servername www.thomasweigold.de
# Same as above but pipe it to x509 to view special properties of the certificate (can be used with the other x509 commands as well, therefore dont specify -in certxyz.pem)
$ openssl s_client -connect thomasweigold.de:443 -servername www.thomasweigold.de | openssl x509 -noout -text