If you ever needed to verify SSL/TLS connections or check certificate information. Then openssl is the answer...maybe.
The openssl program provides a rich variety of commands
First a small walkthrough concerning some of file extensions that we might encounter.
CER (.cer) or CRT (.crt): certificate could be PEM or DER encoded, contains certificate owner information and public and private keys.
PEM (.pem): Base64 encoded form of DER certificate. Certificate and private key are stored in different files.
DER (.der): Binary form of PEM certificate used on Java platform. Certificate and private key are stored in different files.
PKCS7 (.p7b): ASCII code. Contains the certificate but not the private key.
PKCS12 (.pfx or .p12): Binary form used on Windows platforms. Contains certificate(s) private and public key. (it's password protected)
Going to the point, troubleshooting SSL/TLS connections and inspecting certificate:
# debug the SSL/TLS connection (view the Handshake process)
openssl s_client -msg -debug -state -connect <host_ip>:<port>
# displays entire certificate chain in PEM format
openssl s_client -connect <host_ip>:<port> -showcerts
# check the TLS version: if you get the certificate chain and the handshake you know the system supports the TLS version in question
openssl s_client -connect <host_ip>:<port> -tls1
openssl s_client -connect <host_ip>:<port> -tls1_2
openssl s_client -connect <host_ip>:<port> -tls1_1
# check certificate expiration date
openssl s_client -connect <hostname>:<PORT> -showcerts|openssl x509 -noout -dates
# display PEM certificate (cert.crt) content
openssl x509 -in cert.pem -noout -text
openssl x509 -in cert.crt -text
ā ļø Where X.509 utility is a standard format for public key certificates, digital documents that securely associate cryptographic key pairs with identities such as websites, individuals, or organizations.
OpenSSL is capable of doing much more, like generating .csr
or converting from one format to another e.g. from .crt
to .pem
, but these subjects will be address in part 2.
Top comments (0)