Terminus by Warp
Verify Certificate With OpenSSL

Verify Certificate With OpenSSL

Razvan Ludosanu
Razvan Ludosanu
Founder, learnbackend.dev

The short answer

To check the expiration date of a PEM certificate and thus verify that it is still valid, you can use the following [.inline-code]openssl x509[.inline-code] command:

 $ openssl x509 -in <cert>  -noout -enddate

Which will write to the standard output the [.inline-code]notAfter[.inline-code] field of the certificate.

For example:

 $ openssl x509 -in mycert.cer -noout -enddate
notAfter=Sep 19 23:59:59 2023 GMT

You can learn more about generating self-signed certificates with our article on how to generate a certificate signing request.

[#easily-recall-with-ai]Easily retrieve this command using Warp’s AI Command Search[#easily-recall-with-ai]

If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Search feature:

Entering [.inline-code]check certificate expiration openssl[.inline-code] in the AI Command Search will prompt an [.inline-code]openssl[.inline-code] command that can then quickly be inserted into your shell by doing [.inline-code]CMD+ENTER[.inline-code].

[#verify-a-file-certificate]Verifying a file certificate[#verify-a-file-certificate]

To decode and verify an entire certificate, you can use the following command:

 $ openssl x509 -in <cert>  -noout -text

Where:

  • [.inline-code]cert[.inline-code] is the path to the file certificate.
  • The [.inline-code]-noout[.inline-code] flag is used to prevent the output of the encoded version of the request.
  • The [.inline-code]-text[.inline-code] flag is used to output the certificate in text form, including its public key, signature algorithms, etc.

For example:

 $ openssl x509 -in /etc/nginx/ssl/cert.pem -noout -text

[#verify-a-website-certificate]Verifying a website’s certificate[#verify-a-website-certificate]

To verify the certificate of a website, you can use the following [.inline-code]openssl s_client[.inline-code] command:

 $ openssl s_client -connect <domain>:443

Which will retrieve the website's certificate identified by [.inline-code]domain[.inline-code] (e.g. [.inline-code]example.com[.inline-code]) and output its details in the terminal window, including its chain, issuer, and other information.

For example:

 $ openssl s_client -connect google.com:443

Once downloaded, you can close the client connection by pressing [.inline-code]CTRL[.inline-code] + [.inline-code]c[.inline-code].

Alternatively, you can use the pipe operator combined with the [.inline-code]openssl x509[.inline-code] command to directly decode and verify the certificate as follows:

 $ openssl s_client -connect <domain>:443 | openssl x509 -noout -text

Note that to save the certificate into a file on your local machine for future processing, you can use the output redirection operator as follows:

 $ openssl s_client -connect <domain>:443 > cert.pem

[#verify-a-certificate-and-key-match]Verifying a certificate and a private key match[#verify-a-certificate-and-key-match]

To verify that a certificate and a private key match, you can compare their modulus by first extracting the modulus of the certificate using the following command:

 $ openssl x509 -noout -modulus -in <certificate>> cert_mod

Then, by extracting the modulus of the private key using the following command:

 $ openssl rsa -noout -modulus -in <private_key> > pkey_mod

Finally, by comparing these two files using the [.inline-code]diff[.inline-code] command:

 $ diff cert_mod pkey_mod

Which will result in no output if the files are identical.

[#verify-a-certificate-chain]Verifying a certificate chain[#verify-a-certificate-chain]

A certificate chain is a series of certificates that are linked together to establish trust and verify the authenticity of a digital certificate.

To verify a certificate chain, you can use the [.inline-code]openssl verify[.inline-code] command as follows:

 $ openssl verify -untrusted <intermediary-certificate> <certificate>

Where:

  • The [.inline-code]-untrusted[.inline-code] flag is used to specify the file path of the intermediate certificate.

Experience the power of Warp

  • Write with an IDE-style editor
  • Easily navigate through output
  • Save commands to reuse later
  • Ask Warp AI to explain or debug
  • Customize keybindings and launch configs
  • Pick from preloaded themes or design your own
brew install --cask warp
Copied!
Join the Windows waitlist:
Success! You will receive an email from Warp when the release is available to download.
Oops! Something went wrong while submitting the form.
Join the Linux waitlist:
Success! You will receive an email from Warp when the release is available to download.
Oops! Something went wrong while submitting the form.
Join the Linux waitlist or join the Windows waitlist
Join the Windows waitlist:
Success! You will receive an email from Warp when the release is available to download.
Oops! Something went wrong while submitting the form.