Verify: SSL Certificate Under OpenSSL

by on December 7, 2010 · 0 comments· LAST UPDATED December 7, 2010

in

All UNIX / Linux applications linked against the OpenSSL libraries can verify certificates signed by a recognized certificate authority (CA). How do I verify SSL certificates using OpenSSL command line toolkit itself under UNIX like operating systems without using third party websites?

You can pass the verify option to openssl command to verify certificates as follows:
$ openssl verify pem-file
$ openssl verify mycert.pem
$ openssl verify cyberciti.biz.pem

Sample outputs:

cyberciti.biz.pem: OK

You will see OK message if everything checks out. If a certificate has expired, it will complain about it. Please note that OpenSSL won't verify a self-signed certificate. You can also retrieve the www.example.com certificate as follows and verify the same:
$ mkdir -p ~/.cert/www.example.com/
$ cd ~/.cert/www.example.com/
$ openssl s_client -showcerts -connect www.example.com:443

Copy from the "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in your ~/.cert/www.example.com/ directory as www.example.com.pem file. By default OpenSSL is configured to use various certificate authorities your system trusts and stored in /usr/lib/ssl/ directory. You can verify this using the following command:
$ openssl version -d
Sample outputs:

OPENSSLDIR: "/usr/lib/ssl"

Another option is to get certificate from the CA repository:
$ wget https://certs.godaddy.com/repository/gd_bundle.crt -O ~/.cert/www.example.com/gd.pem
Finally, create a symbolic link to files named by the hash values using c_rehash, enter:
$ c_rehash ~/.cert/www.example.com/
To confirm you have the correct and working certificates, enter:
$ openssl s_client -CApath ~/.cert/mail.example.com/ -connect www.example.com:443

References (suggested readings):

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 0 comments… add one now }

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: